5

We have a text box in sitecore that allows users to search for things. This posts back to the server which goes off, does a search and returns some results (showing them on the screen).

When I input something dodgy, e.g. some markup I would expect to receive a .net exception along the lines of:

A potentially dangerous Request.QueryString value was detected from the client (q="<img src="http://www...").

As I understand it, that has been default behaviour since v1.1 of ASP.NET. And then in v4.0 it remained the default they just extended it to all requests (not just web pages).

So the question is as follows:

1. how have sitecore disabled this?
2. what can I do to re-enable this globally (i.e. not on a per page basis)?

I note there is a section of the web.config that starts like this:

<!-- Continue to run Sitecore without script validations -->
<pages validateRequest="false" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
chrislewisdev
  • 556
  • 1
  • 7
  • 21
  • I think your answer is here: [http://stackoverflow.com/questions/2673850/validaterequest-false-doesnt-work-in-asp-net-4][1] [1]: http://stackoverflow.com/questions/2673850/validaterequest-false-doesnt-work-in-asp-net-4 –  Feb 02 '12 at 15:50
  • are you sure? Because I'm not trying to disable it; I'm trying to get the default behaviour back. Also, in C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\web.config Line 18: So this should be the root config which will be the default value if you don’t specify in your website’s web.config. – chrislewisdev Feb 02 '12 at 15:59
  • Well, if I understood well, .NET 4 changed that behavior. Yes, I assumed that you're building on top of v4. So, then, this should force v4 to behave like v2 in that respect: ` `. Then, you should be able to configure it the same way you used to with asp.net 2.0/3.5. –  Feb 02 '12 at 17:40

1 Answers1

5

You answered your own questions. Here are answers to your questions:

  1. In Sitecore the default web.config comes with this set as <pages validateRequest="false" ... />

  2. To turn it on, set it to true

Also, you can take a look at this blog post which indicates the SuppressFormValidation processor in the PreprocessRequest pipeline may be causing this issue you're having.

Here's the "offending" code that was identified:

namespace Sitecore.Pipelines.PreprocessRequest
{
    public class SuppressFormValidation : PreprocessRequestProcessor
    {
        public override void Process(PreprocessRequestArgs args)
        {
            Assert.ArgumentNotNull(args, "args");
            try
            {
                NameValueCollection form = args.Context.Request.Form;
            }
            catch (HttpRequestValidationException exception)
            {
                if (!args.Context.Request.RawUrl.StartsWith("/sitecore/shell/", StringComparison.InvariantCultureIgnoreCase))
                {
                    Log.Error(exception.Message, exception, this);
                }
            }
        }
    }
}

The blog post has new code you can replace it with to only suppress validation in the Sitecore shell (the back-end GUI).

Mark Ursino
  • 31,209
  • 11
  • 51
  • 83
  • This has no effect. I'll raise it to sitecore support. – chrislewisdev Feb 03 '12 at 10:18
  • That seems to be the right answer. I've taken out that pipeline step and it works fine. I'll look to re-enable it as that guy has done because SiteCore's own docs advise that taking it out altogether may break the content editor: http://sdn.sitecore.net/Scrapbook/Configuring%20pages%20web,-d-,config%20section.aspx – chrislewisdev Feb 03 '12 at 16:03