Hi. I have created a web-based "file manager", for remote-administration of
a web-site. It works okay.
The "main" form in the "file manager" is BrowseFiles.aspx. I can edit the
text files (among which the "js" files) by clicking on an achor which
redirects me to "edit.aspx".
Once in "edit.aspx", after I view a ".js" file, for instance, I click on the
button "Return to file manager". The code in the command "Return to file
manager" is mainly
Response.Redirect("BrowseFiles.aspx?Folder=" & strFolderPath) where
strFolderPath is the folder I was viewing before starting the edit.
I get:
________________________________________
___________________
Server Error in '/aspnetprojects/vsnet/ThePhile' Application.
A potentially dangerous Request.Form value was detected from the client
(txtFileContent="...uterHeight<screen.availHeight...").
Description: Request Validation has detected a potentially dangerous client
input value, and processing of the request has been aborted. This value may
indicate an attempt to compromise the security of your application, such as
a cross-site scripting attack. You can disable request validation by setting
validateRequest=false in the Page directive or in the configuration section.
However, it is strongly recommended that your application explicitly check
all inputs in this case.
Exception Details: System.Web.HttpRequestValidationException: A potentially
dangerous Request.Form value was detected from the client
(txtFileContent="...uterHeight<screen.availHeight...").
________________________________________
___________________
Note: txtFileContent is the text box in which I show the file to edit
(using, of course, stream readers).
I have tried using their suggestion (validateRequest=false) but it does not
change a thing... What am I doing wrong ?
Thank you.
Alex.The reason maybe the "<" or any html or script tag for that matter. Try it
again with a demo file which just contains "<foo>" or something and see if
you get the same error. Then try it with a file that has just "foo" and you
may not get any errors.
If this is the case then the way to fix it is to convert all < and > chars
to < and > when displaying to the client. You will then need to convert them
back again when receiving them.
The reason: Well the error report is telling you that the user has input a
script or script tag which could potentially be of harm. This is why most
forums etc do not accept HTML code from public users.
I could be wrong, but I hope it helps.
Regards
Geoff
"Alex Nitulescu" wrote:
> Hi. I have created a web-based "file manager", for remote-administration o
f
> a web-site. It works okay.
> The "main" form in the "file manager" is BrowseFiles.aspx. I can edit the
> text files (among which the "js" files) by clicking on an achor which
> redirects me to "edit.aspx".
> Once in "edit.aspx", after I view a ".js" file, for instance, I click on t
he
> button "Return to file manager". The code in the command "Return to file
> manager" is mainly
> Response.Redirect("BrowseFiles.aspx?Folder=" & strFolderPath) where
> strFolderPath is the folder I was viewing before starting the edit.
> I get:
> ________________________________________
___________________
> Server Error in '/aspnetprojects/vsnet/ThePhile' Application.
> A potentially dangerous Request.Form value was detected from the client
> (txtFileContent="...uterHeight<screen.availHeight...").
> Description: Request Validation has detected a potentially dangerous clien
t
> input value, and processing of the request has been aborted. This value ma
y
> indicate an attempt to compromise the security of your application, such a
s
> a cross-site scripting attack. You can disable request validation by setti
ng
> validateRequest=false in the Page directive or in the configuration sectio
n.
> However, it is strongly recommended that your application explicitly check
> all inputs in this case.
> Exception Details: System.Web.HttpRequestValidationException: A potentiall
y
> dangerous Request.Form value was detected from the client
> (txtFileContent="...uterHeight<screen.availHeight...").
> ________________________________________
___________________
> Note: txtFileContent is the text box in which I show the file to edit
> (using, of course, stream readers).
> I have tried using their suggestion (validateRequest=false) but it does no
t
> change a thing... What am I doing wrong ?
> Thank you.
> Alex.
>
>
Geoff, you were right - I tried a foo.html file, first containing "foo", and
second containing "<foo>". Obviously, the first time it worked, the second
time not.
I guess the only solution would be to convert those < and > to something
else - I'll have to find a convenient replacement symbol..
"Geoff Willings" <GeoffWillings@.discussions.microsoft.com> wrote in message
news:058EC81A-23FD-490B-8A8B-4968FB5681DD@.microsoft.com...
> The reason maybe the "<" or any html or script tag for that matter. Try it
> again with a demo file which just contains "<foo>" or something and see if
> you get the same error. Then try it with a file that has just "foo" and
> you
> may not get any errors.
> If this is the case then the way to fix it is to convert all < and > chars
> to < and > when displaying to the client. You will then need to convert
> them
> back again when receiving them.
> The reason: Well the error report is telling you that the user has input a
> script or script tag which could potentially be of harm. This is why most
> forums etc do not accept HTML code from public users.
> I could be wrong, but I hope it helps.
> Regards
> Geoff
> "Alex Nitulescu" wrote:
>
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment