1

My company security policy dictates that I cannot turn off the ValidateRequest attribute for our forms website.

I am getting error reports from the site for potentially dangerous Request.Form input.

I can see from all of the errors, that the danger is being picked up from foreign characters (such as, german, norwegein characters with umlauts) in the address fields.

I'm a little confused as to how these characters are even becoming html encoded, because the dangerous character combination is like å which is the ö character.

A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$tbxDeliveryAddress="...last As B & #229;smosjyen 4 Mo...")

Obviously this is not malicious, and i need to allow customers to enter their addresses, including the umlauts. I wondered if the customer was unknowingly doing this by copy and paste maybe, so i set up an experiment with two labels and a text box, one label encoded some text with an umlaut in it, and the other label just printed the umlaut (i checked the html source on the rendered page, and this was behaving) i then copied and pasted each label in turn into a text box and submitted the form, but neither errored.

So i'm confused as to how this input is coming about from the customer. I find it hard to believe they would physically type å into a text box when typing their address. As I don't really know how the foreign keyboards work, can anyone shed any light on this?

How can i stop this non-malicious text being caught by this feature in .net without turning out the ValidateRequest attribute? It's really a pain for customers trying to innocently enter their delivery addresses.

EDIT

I have noticed, on the error message, that the text is actually coming from a multi-line textbox field, which generates the textarea html control. I wonder if this particular control is rendering the contents with html encoded text? I say this because the end user can't actually edit directly in this field, it is populated automatically, with a modal pop up to edit the address on individual lines. Does the multiline textbox automatically html encode it's contents?

Stuart
  • 1,544
  • 5
  • 29
  • 45
  • Can you reproduce the error if you enter an `ö`, `ü` or `ä`? – Tim Schmelter Nov 04 '14 at 09:25
  • the only way i know how to type characters like this is by pressing ALT key and typing the code like ALT+229 - this doesn't produce the error either. But i'm not sure how real people type these characters on the keyboard when it's their native language. im assuming they dont use the ALT+code technique... – Stuart Nov 04 '14 at 09:34
  • No, there are keys for öäüß directly on the keyboard. However, the resuting character should be the same, whether it's input directly or via alt+digits. – DasKrümelmonster Nov 04 '14 at 09:44
  • @Stuart: what kind of modal popup, jQuery or ASP.NET? I guess that's the rason for the encoded text. How does it populate it, via server roundtrip or per javascript? – Tim Schmelter Nov 04 '14 at 10:32
  • it's a bootstrap modal popup, but the textboxes there are handled and an Address object is populated with the values from the text boxes. Then the multiline textbox on the form is populated from the address object by c# code behind. I'm not doing any encoding/decoding myself in the c# though. The error appears to be complaining about the text in the multiline textbox though. Sinse the track doesn't hint at the last action taken, i'm assuming the error is occuring on the next post box once this textbox has been populated with text. – Stuart Nov 04 '14 at 10:36

0 Answers0