Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Garrett Fisher 341 posts 496 karma points
    Nov 19, 2015 @ 20:26
    Garrett Fisher

    AltTemplates -- Potentially Dangerous Request -- HtmlEncode?


    Does anyone know where the alttemplate querytring value is first processed at the request level?

    I've got an Umbraco (6.2.5) site which is failing a security scan because you can add...


    For example, as the value. I'd like to HtmlEncode it but I don't know where/how in the application flow that this is handled. The ASP.NET YSOD fires long before any page/template where I am personally doing anything with that value:

    A potentially dangerous Request.QueryString value was detected from the client (alttemplate="<!--").

    Anything I can do to prevent this error?



  • Marc Goodson 1676 posts 11071 karma points MVP 6x c-trib
    Nov 19, 2015 @ 20:52
    Marc Goodson

    If you don't use the altTemplate functionality you can now turn it off in the umbracoSettings.config file at the bottom:

            internalRedirectPreservesTemplate="false" disableAlternativeTemplates="true" 

    if you want to keep the altTemplate functionality, but handle the comment attack; I think you'll need to register your own replacement version of the IContentFinder ContentFinderByNiceUrlAndTemplate

Please Sign in or register to post replies

Write your reply to: