Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Geoff Beaumont 75 posts 104 karma points
    Feb 10, 2011 @ 11:53
    Geoff Beaumont
    0

    Triggering dangerous request detection

    I'm trying to use Embedded Content (v1.08 on Umbraco 4.6.1, ASP.Net 4, Win2k8). I have a content picker, a text box and a boolean in my field - when I save the content item it's attached to ASP.Net throws a potentiallly dangerous error warning, citing:

     

    (ctl00$body$EChiddenXmlValue118="<data><item id="1"><...")

    It does this regardless of whether anything is actually selected in Embeded Content (i.e. it is triggered by the control just passing <data></data>).


    Geoff

  • Alan 3 posts 23 karma points
    Feb 10, 2011 @ 12:04
    Alan
    0

    Hi Geoff,

    Im quite new at this so dont know if it will help but I got a similar error myself before.When I went to save content I was getting "A potentially dangerous Request.Form value was detected from the client"

    It seems to be an issue with ASP validation and you need to add the following line into your web.config file

    <httpRuntime requestValidationMode="2.0" />

    Here is thread I found the answer in

    http://our.umbraco.org/forum/using/ui-questions/11432-A-potentially-dangerous-RequestForm-value-was-detected-when-updating-content-with-HTML-tags

    Hope it helps.

     

    Alan

  • Sascha Wolter 615 posts 1101 karma points
    Feb 10, 2011 @ 13:12
    Sascha Wolter
    0

    Hi Geoff,

    thanks for bringing the issue up, I've encountered similar issues on the road to v 1.1 and I think I've got the request validation issue fixed. v 1.1 is currently in beta state and avalable for manual download here, just unzip the file and copy everything in your umbraco install if you want to try it out. I aim to release the full version in about 24 hours after some testing if you rather want to wait. Please let me know if your issue still persists with the new version.

    @Alan: you're absolutely right, adding this entry to the web.config file will not generate the error in question. However you need to be very careful here, as you disable the error for all pages of the website, and since this is a very valuable tool for catching malicious code insertion 'attacks' I would think twice before doing that. Please have a go at version 1.1 once it's out and try to remove the entry again, I'd just sleep better at night. ;)

    Cheers,

    Sascha

  • Geoff Beaumont 75 posts 104 karma points
    Feb 10, 2011 @ 13:48
    Geoff Beaumont
    0

    Hi Sascha,

    I'm afraid not - it still throws the error when saving content, but now also throws it when saving the data type!

    Alan - thanks, I was aware of the ability to switch this check off globally, but it's not a risk I'm prepared to take.

    Geoff

  • Michael Latouche 504 posts 819 karma points MVP 4x c-trib
    Feb 10, 2011 @ 15:08
    Michael Latouche
    0

    Hi Geoff,

    I think it is possible to disable Validation request "locally" by setting the following Page_Init method in your template or in your user control:

    protected void Page_Init(object sender, EventArgs e)
            {
                ((umbraco.UmbracoDefault)this.Page).ValidateRequest = false;
            }

    Hope this helps.

    Cheers,

    Michael.

  • Geoff Beaumont 75 posts 104 karma points
    Feb 10, 2011 @ 16:42
    Geoff Beaumont
    0

    Hi Mike,

    This isn't a user control - it's Sascha's Embedded Content data type, which is a compiled server control.

    Geoff

  • Michael Latouche 504 posts 819 karma points MVP 4x c-trib
    Feb 10, 2011 @ 17:37
    Michael Latouche
    0

    Woops sorry, I should have paid more attention :-S

  • Geoff Beaumont 75 posts 104 karma points
    Feb 11, 2011 @ 11:05
    Geoff Beaumont
    0

    Hi Sascha,

    I've been doing some testing, and I think the solution to the dangerous request issue is simply to encode the XML data in both the xml value and xml schema hidden fields. Wrap everywhere they're set server side in Uri.EscapeDataString(), read Uri.UnescapeDataString(), then in the javascript everywhere do the same using encodeURIComponent() and decodeURIComponent().

    Seems to work reliably and stops the errors.

    Regards,
    Geoff

  • Sascha Wolter 615 posts 1101 karma points
    Feb 12, 2011 @ 11:58
    Sascha Wolter
    0

    Hi Geoff,

    great stuff, didn't even know about these methods, that's absolutely marvellous! Will run some tests more on my machine and then upload a beta2.

    Many thanks for your help,

    Sascha

Please Sign in or register to post replies

Write your reply to:

Draft