Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Garrett Fisher 341 posts 496 karma points
    Nov 19, 2015 @ 20:26
    Garrett Fisher
    0

    AltTemplates -- Potentially Dangerous Request -- HtmlEncode?

    Hi,

    Does anyone know where the alttemplate querytring value is first processed at the request level?

    I've got an Umbraco (6.2.5) site which is failing a security scan because you can add...

    "?alttemplate=<!--"

    For example, as the value. I'd like to HtmlEncode it but I don't know where/how in the application flow that this is handled. The ASP.NET YSOD fires long before any page/template where I am personally doing anything with that value:

    A potentially dangerous Request.QueryString value was detected from the client (alttemplate="<!--").

    Anything I can do to prevent this error?

    Thanks,

    Garrett

    Copy Link
  • Marc Goodson 2157 posts 14434 karma points MVP 9x c-trib
    Nov 19, 2015 @ 20:52
    Marc Goodson
    0

    If you don't use the altTemplate functionality you can now turn it off in the umbracoSettings.config file at the bottom:

          <web.routing
        trySkipIisCustomErrors="false"
        internalRedirectPreservesTemplate="false" disableAlternativeTemplates="true" 
disableFindContentByIdPath="false"
        umbracoApplicationUrl="">
      </web.routing>

    if you want to keep the altTemplate functionality, but handle the comment attack; I think you'll need to register your own replacement version of the IContentFinder ContentFinderByNiceUrlAndTemplate

    https://github.com/umbraco/Umbraco-CMS/blob/d50e49ad37fd5ca7bad2fd6e8fc994f3408ae70c/src/Umbraco.Web/Routing/ContentFinderByNiceUrlAndTemplate.cs

    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies