0

I am in quite the situation here at work as I´m all of a sudden starts getting this error:

An exception of type 'System.Web.HttpRequestValidationException' occurred in System.Web.dll but was not handled in user code

Additional information: A potentially dangerous Request.Cookies value was detected from the client (CustomerRegionName="&#214").

I know that there are several threads about this issue already, and I´ve tried all of the answers I have seen, the most common being the following:

Use httpRuntime requestValidationMode="2.0"
in your web.config (keeping any attributes you already have on that element, if it's already there). ASP.NET4.0 ignores ValidateRequest otherwise. Taken from: Here

I am building a website where most input is in Swedish, so to prevent browserproblems I encode all cookie values with the help of HttpUtility class.

That means that A value like "Örebro" will be encoded to something like this: %c3%96rebro.

And for some reason .net framework thinks that this is some kind of dangerous value.

I have absolutely no idea what to do here... Any help would be greatly appreciated.

Community
  • 1
  • 1
Lasselito
  • 3
  • 6
  • Do you get the same error if you save straight hexadecimal (i.e., no % chars)? If not, encode your text into hex and write that out as the string, then decode it back when you need it. – Michael Gorsich Sep 06 '16 at 14:18
  • Thank you so much for the suggestion! I managed to create a string extention that did exactly what you suggested and it works. Have a great day! – Lasselito Sep 06 '16 at 15:29
  • You're welcome, and I'm going to turn this into an answer so others who have the same issue will get the same idea, and with some code. – Michael Gorsich Sep 06 '16 at 15:35

2 Answers2

1

To avoid this error, convert your string into a hexadecimal representation of the string. This can be done with code like this:

string ConvertedString = BitConverter.ToString(Encoding.Default.GetBytes(YourString));

Note that this string will have the hex separated into pairs with "-" (i.e., 4f-cc-12-ab).

When you read it back, restore it to the original string with code like this, assuming your read the encoded string back into string zBackInHex:

string zHex = (zBackInHex.Replace("-", "");
byte[] ba = new byte[zHex.Length / 2];  //One byte for each two chars in zHex
for(int ZZ = 0; ZZ < ba.Length; ZZ++){
   ba[ZZ] = Convert.ToByte(zHex.Substring(ZZ * 2, 2), 16);
}
string zBackIn = Encoding.ASCII.GetString(ba);  //The original string

I got the idea for this method from another post. I'd give credit, but I don't remember where I originally saw it.

Andrew Carmichael
  • 3,086
  • 1
  • 22
  • 21
Michael Gorsich
  • 327
  • 1
  • 10
0

Why don't you try to replace strings with IDs, that will remove all the hassle with encoding. Create lookup table with region ID, RegionName. Pass ID to your cookie, and there will be no problem with dangerous requests.

j.v.
  • 977
  • 6
  • 15
  • That would be the natural solotion if it wasnt for the fact that I need information down to steet level. I can't fill a table with every possible streetchoice. – Lasselito Sep 06 '16 at 14:01