Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Ritesh 11 posts 91 karma points
    Apr 04, 2017 @ 10:59
    Ritesh
    0

    A potentially dangerous Request.QueryString value was detected from the client.

    Hi,

    I have a search functionality where I want to secure user inputs.

    <form action="@urlToSearch" id="searchform" method="get">
        <div>
              <input type="text" id="s" name="s" value="@searchText" placeholder='Search' />
              <input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello" />
        </div>
    </form>
    

    While unit testing, I have entered "

    <script>alert('hello');</script>
    

    " and the page goes to "A potentially dangerous Request.QueryString value was detected from the client (s="script>alert('hello...")."

    When searching keyword home, url looks like http://localhost/search/?s=home

    Can anyone guide me on this, how can I secure my page from malicious attacks?

    Already tried adding <httpRuntime requestValidationMode="2.0"> into web.config

    Using Umbraco 7.5.11 assembly: 1.0.6274.27352

    Thanks in advance.

  • Michael Latouche 504 posts 819 karma points MVP 4x c-trib
    Apr 04, 2017 @ 14:47
    Michael Latouche
    0

    Hi Ritesh,

    From what I read, it seems your page is secured already since it returned an error when you tried to enter malicious input data.

    Or do you want to have the possibility to actually search on such "malicious words"?

    Cheers,

    Michael.

  • Ritesh 11 posts 91 karma points
    Apr 05, 2017 @ 11:02
    Ritesh
    0

    Thanks Michael for your reply. I am looking for similar scenarios and how that can be handled? e.g. showing some custom message or disallow users to enter such text input.

  • Michael Latouche 504 posts 819 karma points MVP 4x c-trib
    Apr 05, 2017 @ 11:26
    Michael Latouche
    100

    Hi Ritesh,

    Here are a few ideas that come to my mind:

    • client side validation via RegEx of some kind, so you can then show a custom warning text and prevent form submission

    • Catch the exception in you global.asax Application_Error method. If you implement a "unhandled exceptions Handler" in your global.asax file, as described here, you will actually get in there with an exception of type

    System.Web.HttpRequestValidationException
    

    So you can make a check on the exception type, and if you get that specific type, you can display your custom message, redirect to a specific error page, etc.

    • remove the built-in validation from your config file and do the validation yourself at the server side. This allows you to handle this anyway you want, but you have to make sure that your validation rules are bullet-proof ;-) And never forget to use "Html Encoding" when displaying the data.

    Hope this helps.

    Cheers,

    Michaël.

  • Vikas 3 posts 73 karma points
    May 07, 2021 @ 11:36
    Vikas
    0

    Old question, but if anyone stumbles upon this, you can use below code in web config to entirely removing validation for specific folders files

     <location path="YourFolder/.aspx">
    <system.web>
      <pages validateRequest="false" />
      <httpRuntime requestValidationMode="2.0" />
    </system.web>
    

    Source: https://qawithexperts.com/questions/303/a-potentially-dangerous-requestform-value-was-detected-from Hope it helps.

Please Sign in or register to post replies

Write your reply to:

Draft