3

Currently when trying to submit transaction that contain dropdown that has text containg angular bracket as e.g. "<abcd>", I'm getting 500 internal server error since ValidateRequest=true by default and throws unhandled exception before it reached to page handler since its Cross site scripting problem.

Is there a way to intercept and modify request object in HttpModule or Glabal.asax since I know Request object is readonly.

I've been breaking head for almost three days but not able to get a concrete solution. What would be the best solution to handle these kind of scenarios. Also I don't want to encode it in client side.

Oded
  • 489,969
  • 99
  • 883
  • 1,009
Syed
  • 33
  • 3

3 Answers3

3

Encode the value in the listbox :

<asp:ListItem>&lt;abcd&gt;</asp:ListItem>

[Edit] I realize my solution does not apply. The content is probably sent encoded by the browser, and is render encoded too by the drop down list (if you use standard databinding). I think your only option is to disable the validation of the request.

This implies you have to very careful on user input. To be simple, Encode every user input with HttpUtility.HtmlEncode(txtXX.Text);.

More on this in the Script Exploits Overview page of MSDN.

Steve B
  • 36,818
  • 21
  • 101
  • 174
  • But it will look very much messy for end user having those characters (i.e < or >) visible in UI. I would like to handle "" on postback while clicking on submit button. – Syed Jan 05 '12 at 10:23
  • 1
    it will be decoded by the browser. It's the standard way to represent characters used by html syntax : http://www.w3.org/TR/html4/charset.html#h-5.3.2 – Steve B Jan 05 '12 at 10:26
  • I do not want to set ValidateRequest to false instead am looking for a universal solution wherein i can handle request and modify. Probably am not hitting on right track. I tried with HttpModule but I got failed in modifying request object. – Syed Jan 05 '12 at 11:00
  • Why don't you want to set ValidateRequest to false ? If use with precaution, it will be far more simple than hooking the request to patch data. – Steve B Jan 05 '12 at 11:01
1

Use HttpUtility.HtmlEncode and HttpUtility.HtmlDecode to solve this problem..

you can put html encoded text in the control or use these methods as per your requirement( Between Events)

Follow these SO thread...
HttpUtility.HtmlEncode to validate user entries
w3c validation error in asp.net

If you can disable validation then follow these
asp.net: Invalid postback or callback argument

Check MSDN for Script Exploits

Community
  • 1
  • 1
Niranjan Singh
  • 18,017
  • 2
  • 42
  • 75
0

I prefer to use Microsoft Anti-Cross Site Scripting Library V4.0 as it provides many helper functions to encode HTML, HtmlAttribute, JavaScript, URL, XML to restrict any cross site attacks.

Matloob Ali
  • 719
  • 8
  • 9