S
Scott M.
How can I disable the cross-site scripting check for one particular page of
a site?
a site?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
G
George Durzi
In the Page directive, insert ValidateRequest="False"
It's set to True by default in v1.1
It's set to True by default in v1.1
S
Scott M.
Here's my situation though.
I develop on VS.NET 2002 and upload my project to my web hosting provider
who uses the 1.1 framework.
When I add the validateReqest = "False" directive into my code, it does
nothing because I am compiling against the 1.0 framework.
I develop on VS.NET 2002 and upload my project to my web hosting provider
who uses the 1.1 framework.
When I add the validateReqest = "False" directive into my code, it does
nothing because I am compiling against the 1.0 framework.
M
MSFT
Hi Scott M,
Thank you for using Microsoft Newsgroup Service. Based on your description,
you're looking for some information on "preventing the Cross-Site
Scripting". This is a security issue which concerned with the client side
browser and data communication with the serverside. It is unlike some other
serverside attributes that can be configured or set simply on serverside.
I've reviewed for some references on this issue, here are some tech
articles in the MS Knowlege base library which
has provided detailed explaination on it:
HOWTO: Prevent Cross-Site Scripting Security Issues View products that this
article applies to.
http://support.microsoft.com/?id=252985
Preventing Internet Explorer and Outlook Express Cross-Site Scripting
Security Issues
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253117
Please have a look to see whether they help you. If you have any questions
on it, please feel free to let me know.
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Thank you for using Microsoft Newsgroup Service. Based on your description,
you're looking for some information on "preventing the Cross-Site
Scripting". This is a security issue which concerned with the client side
browser and data communication with the serverside. It is unlike some other
serverside attributes that can be configured or set simply on serverside.
I've reviewed for some references on this issue, here are some tech
articles in the MS Knowlege base library which
has provided detailed explaination on it:
HOWTO: Prevent Cross-Site Scripting Security Issues View products that this
article applies to.
http://support.microsoft.com/?id=252985
Preventing Internet Explorer and Outlook Express Cross-Site Scripting
Security Issues
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253117
Please have a look to see whether they help you. If you have any questions
on it, please feel free to let me know.
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
S
Scott M.
Thanks for your reply. I am aware of what cross-site scripting is and its
potential dangers are. I need to deactivate it for one page only and that
page is password protected.
My application is built using VS.NET 2002 but is being run on a server that
runs the 1.1 framework so when I add the page level ValidateRequest="False",
nothing happens because I am compiling with the 1.0 framework.
Any suggestions how to turn it off for this one page in my circumstance?
Thanks.
potential dangers are. I need to deactivate it for one page only and that
page is password protected.
My application is built using VS.NET 2002 but is being run on a server that
runs the 1.1 framework so when I add the page level ValidateRequest="False",
nothing happens because I am compiling with the 1.0 framework.
Any suggestions how to turn it off for this one page in my circumstance?
Thanks.
S
Steven Cheng[MSFT]
Hi Scott M,
Thank you for the prompt response. Yes, the "ValidateRequest" attribute is
used in ASP.NET1.1, in 1.0 you need to manually add custom methods or
machism to implement the cross-site scripting check. So I don't think that
you need to do anything by default? Also, you've mentioned that you've a
certain page which need to disable the cross-scripting check, would you
please provide more information about what you'd like to do on this page
and what's the problem you encountered when run the funcionality on that
page? And here is a weblink for how to implement "cross-site scripting
check" manually in ASP.NET1.0, you may have a look to see whether it'll
provide some ideas.:
http://msdn.microsoft.com/library/en-us/dnaspp/html/scriptingprotection.asp?
frame=true
In the mean time, I'll do further research on this issue. If you have any
questions or new findings, please feel free to let me know, thanks.
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Thank you for the prompt response. Yes, the "ValidateRequest" attribute is
used in ASP.NET1.1, in 1.0 you need to manually add custom methods or
machism to implement the cross-site scripting check. So I don't think that
you need to do anything by default? Also, you've mentioned that you've a
certain page which need to disable the cross-scripting check, would you
please provide more information about what you'd like to do on this page
and what's the problem you encountered when run the funcionality on that
page? And here is a weblink for how to implement "cross-site scripting
check" manually in ASP.NET1.0, you may have a look to see whether it'll
provide some ideas.:
http://msdn.microsoft.com/library/en-us/dnaspp/html/scriptingprotection.asp?
frame=true
In the mean time, I'll do further research on this issue. If you have any
questions or new findings, please feel free to let me know, thanks.
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
S
Scott M.
Hi Steven,
Thanks for your help. I think you've got my situation backwards. I don't
want to implement a cross-site scripting check in my application. I'm
already getting that functionality (because my application which was written
and compiled in the 1.0 Framework) is running under the 1.1 Framework.
What I need to do is "disable" this inherent cross-site scripting check for
one particular page of mine. I have tried adding the page directive of
validateRequest="false", but this does not disable the check.
I have one page in my site that is password protected to get to which allows
me to (using a DataGrid) modify SQL Server data that is used on a different
page and rendered in a Calendar control. I need to be able to add HTML to
the SQL data, so that when it appears on the calendar, it appears as I want
it to.
I have put a temporary fix in place. Instead of me entering "<" and ">"
characters, I enter "[" and "]" characters and once the form data is
submitted, I convert "[" to "<" and "]" to ">". This works, but it is
clumsy.
Thanks for your help. I think you've got my situation backwards. I don't
want to implement a cross-site scripting check in my application. I'm
already getting that functionality (because my application which was written
and compiled in the 1.0 Framework) is running under the 1.1 Framework.
What I need to do is "disable" this inherent cross-site scripting check for
one particular page of mine. I have tried adding the page directive of
validateRequest="false", but this does not disable the check.
I have one page in my site that is password protected to get to which allows
me to (using a DataGrid) modify SQL Server data that is used on a different
page and rendered in a Calendar control. I need to be able to add HTML to
the SQL data, so that when it appears on the calendar, it appears as I want
it to.
I have put a temporary fix in place. Instead of me entering "<" and ">"
characters, I enter "[" and "]" characters and once the form data is
submitted, I convert "[" to "<" and "]" to ">". This works, but it is
clumsy.
S
Steven Cheng[MSFT]
Hi Scott M,
Thank you for your prompt response. First I'd appologize for
misunderstanding your problem. Now, I've got that you've got a single page
which want to get rid of the "request validate" provided by ASP.NET,yes?
After reviewing the situation you mentioned in the preceding reply. I
thought that the main problem is that your page is compiled under dotnet
framework1.0 and now the enviroment is 1.1. Since in ASP.NET 1.0 there is
no "request validate" for pages, so all the compiled page class(assembly)
didn't have any infomation for this. But because your deplyment enviroment
is 1.1 version, then the ASP.NET runtime will check the page class for the
"validaterequest" information, but it can't find since nothing is set in
1.0, so the ASP.NET runtime use the default setting in the web.config ,if
no setting in the web.config, then use the default setting in the
machine.config, the default value is requestValidate="true". Then you will
encountered the requestvalidate exception such as
------------------------------------------------------------------exception
occured--------------------------------
A potentially dangerous Request.Form value was detected from the client
(txtTagContent="<adfd>").
Description: Request Validation has detected a potentially dangerous client
input value, and processing of the request has been aborted. This value may
indicate an attempt to compromise the security of your application, such as
a cross-site scripting attack. You can disable request validation by
setting validateRequest=false in the Page directive or in the configuration
section. However, it is strongly recommended that your application
explicitly check all inputs in this case.
----------------------------------------------------------------------------
--------------------------------------------
Is the situation I described same as yours? Please let me know if there is
anything different.
If so, here is some of my suggestions:
1. Since the "validateRequest" page attribute could only set for ASP.NET
1.1 's page, do you think it possible that you recompile the page classes
under 1.1 framework?
2. If you it really unconfortable for you to recompile the pages again,
I've another way to workaround this problem. Since the default value of
"validateRequest" can be set in web.config file. We can take advantage of
this feature to set the default value as "false". However, you may think
that it'll cause all the pages having no requestvalidate checking. Yes, but
in ASP.NET web applications there can be more than one web.config files as
long as they are in different folders. So my suggestion is to create a
separate sub folder , and put a certain web.config file particularly for
the subfolder,
For example, my web application's root folder is "MyWebApp", it has some
pages and a web.config file, then, I create another sub folder named
"noncheck" and also provide a web.config file in it. The file structure is
like:
wwwroot/MyWebApp
web.config
...some asp.net pages
/noncheck
singlenocheck.aspx
web.config
the "singlenocheck.aspx" is the page which need no "requestValidate" check.
Then,in the "MyWebApp" folder's web.config file , we set the
requestvalidate as ture,just add this:
<pages
validateRequest="true"/>
in the "noncheck" subfolder's web.config file , we set as below:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<pages
validateRequest="false"/>
</system.web>
</configuration>
Thus, when we request the pages in the root folder, the ASP.NET runtime
will have the requestvalidate check, and if we request the
"singlenocheck.aspx" in the "noncheck" folder , it will apply the setting
the subfolder's web.config, it won't check the request data.
Please try the preceding suggestions to see whether they help. If you have
any new findings please also let me know. Thanks.
Merry Christmas!!
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Thank you for your prompt response. First I'd appologize for
misunderstanding your problem. Now, I've got that you've got a single page
which want to get rid of the "request validate" provided by ASP.NET,yes?
After reviewing the situation you mentioned in the preceding reply. I
thought that the main problem is that your page is compiled under dotnet
framework1.0 and now the enviroment is 1.1. Since in ASP.NET 1.0 there is
no "request validate" for pages, so all the compiled page class(assembly)
didn't have any infomation for this. But because your deplyment enviroment
is 1.1 version, then the ASP.NET runtime will check the page class for the
"validaterequest" information, but it can't find since nothing is set in
1.0, so the ASP.NET runtime use the default setting in the web.config ,if
no setting in the web.config, then use the default setting in the
machine.config, the default value is requestValidate="true". Then you will
encountered the requestvalidate exception such as
------------------------------------------------------------------exception
occured--------------------------------
A potentially dangerous Request.Form value was detected from the client
(txtTagContent="<adfd>").
Description: Request Validation has detected a potentially dangerous client
input value, and processing of the request has been aborted. This value may
indicate an attempt to compromise the security of your application, such as
a cross-site scripting attack. You can disable request validation by
setting validateRequest=false in the Page directive or in the configuration
section. However, it is strongly recommended that your application
explicitly check all inputs in this case.
----------------------------------------------------------------------------
--------------------------------------------
Is the situation I described same as yours? Please let me know if there is
anything different.
If so, here is some of my suggestions:
1. Since the "validateRequest" page attribute could only set for ASP.NET
1.1 's page, do you think it possible that you recompile the page classes
under 1.1 framework?
2. If you it really unconfortable for you to recompile the pages again,
I've another way to workaround this problem. Since the default value of
"validateRequest" can be set in web.config file. We can take advantage of
this feature to set the default value as "false". However, you may think
that it'll cause all the pages having no requestvalidate checking. Yes, but
in ASP.NET web applications there can be more than one web.config files as
long as they are in different folders. So my suggestion is to create a
separate sub folder , and put a certain web.config file particularly for
the subfolder,
For example, my web application's root folder is "MyWebApp", it has some
pages and a web.config file, then, I create another sub folder named
"noncheck" and also provide a web.config file in it. The file structure is
like:
wwwroot/MyWebApp
web.config
...some asp.net pages
/noncheck
singlenocheck.aspx
web.config
the "singlenocheck.aspx" is the page which need no "requestValidate" check.
Then,in the "MyWebApp" folder's web.config file , we set the
requestvalidate as ture,just add this:
<pages
validateRequest="true"/>
in the "noncheck" subfolder's web.config file , we set as below:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<pages
validateRequest="false"/>
</system.web>
</configuration>
Thus, when we request the pages in the root folder, the ASP.NET runtime
will have the requestvalidate check, and if we request the
"singlenocheck.aspx" in the "noncheck" folder , it will apply the setting
the subfolder's web.config, it won't check the request data.
Please try the preceding suggestions to see whether they help. If you have
any new findings please also let me know. Thanks.
Merry Christmas!!
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)