I'm trying to use Embedded Content (v1.08 on Umbraco 4.6.1, ASP.Net 4, Win2k8). I have a content picker, a text box and a boolean in my field - when I save the content item it's attached to ASP.Net throws a potentiallly dangerous error warning, citing:
Im quite new at this so dont know if it will help but I got a similar error myself before.When I went to save content I was getting "A potentially dangerous Request.Form value was detected from the client"
It seems to be an issue with ASP validation and you need to add the following line into your web.config file
thanks for bringing the issue up, I've encountered similar issues on the road to v 1.1 and I think I've got the request validation issue fixed. v 1.1 is currently in beta state and avalable for manual download here, just unzip the file and copy everything in your umbraco install if you want to try it out. I aim to release the full version in about 24 hours after some testing if you rather want to wait. Please let me know if your issue still persists with the new version.
@Alan: you're absolutely right, adding this entry to the web.config file will not generate the error in question. However you need to be very careful here, as you disable the error for all pages of the website, and since this is a very valuable tool for catching malicious code insertion 'attacks' I would think twice before doing that. Please have a go at version 1.1 once it's out and try to remove the entry again, I'd just sleep better at night. ;)
I've been doing some testing, and I think the solution to the dangerous request issue is simply to encode the XML data in both the xml value and xml schema hidden fields. Wrap everywhere they're set server side in Uri.EscapeDataString(), read Uri.UnescapeDataString(), then in the javascript everywhere do the same using encodeURIComponent() and decodeURIComponent().
Triggering dangerous request detection
I'm trying to use Embedded Content (v1.08 on Umbraco 4.6.1, ASP.Net 4, Win2k8). I have a content picker, a text box and a boolean in my field - when I save the content item it's attached to ASP.Net throws a potentiallly dangerous error warning, citing:
(ctl00$body$EChiddenXmlValue118="<data><item id="1"><...")
It does this regardless of whether anything is actually selected in Embeded Content (i.e. it is triggered by the control just passing <data></data>).
Geoff
Hi Geoff,
Im quite new at this so dont know if it will help but I got a similar error myself before.When I went to save content I was getting "A potentially dangerous Request.Form value was detected from the client"
It seems to be an issue with ASP validation and you need to add the following line into your web.config file
<httpRuntime requestValidationMode="2.0" />
Here is thread I found the answer in
http://our.umbraco.org/forum/using/ui-questions/11432-A-potentially-dangerous-RequestForm-value-was-detected-when-updating-content-with-HTML-tags
Hope it helps.
Alan
Hi Geoff,
thanks for bringing the issue up, I've encountered similar issues on the road to v 1.1 and I think I've got the request validation issue fixed. v 1.1 is currently in beta state and avalable for manual download here, just unzip the file and copy everything in your umbraco install if you want to try it out. I aim to release the full version in about 24 hours after some testing if you rather want to wait. Please let me know if your issue still persists with the new version.
@Alan: you're absolutely right, adding this entry to the web.config file will not generate the error in question. However you need to be very careful here, as you disable the error for all pages of the website, and since this is a very valuable tool for catching malicious code insertion 'attacks' I would think twice before doing that. Please have a go at version 1.1 once it's out and try to remove the entry again, I'd just sleep better at night. ;)
Cheers,
Sascha
Hi Sascha,
I'm afraid not - it still throws the error when saving content, but now also throws it when saving the data type!
Alan - thanks, I was aware of the ability to switch this check off globally, but it's not a risk I'm prepared to take.
Geoff
Hi Geoff,
I think it is possible to disable Validation request "locally" by setting the following Page_Init method in your template or in your user control:
Hope this helps.
Cheers,
Michael.
Hi Mike,
This isn't a user control - it's Sascha's Embedded Content data type, which is a compiled server control.
Geoff
Woops sorry, I should have paid more attention :-S
Hi Sascha,
I've been doing some testing, and I think the solution to the dangerous request issue is simply to encode the XML data in both the xml value and xml schema hidden fields. Wrap everywhere they're set server side in Uri.EscapeDataString(), read Uri.UnescapeDataString(), then in the javascript everywhere do the same using encodeURIComponent() and decodeURIComponent().
Seems to work reliably and stops the errors.
Regards,
Geoff
Hi Geoff,
great stuff, didn't even know about these methods, that's absolutely marvellous! Will run some tests more on my machine and then upload a beta2.
Many thanks for your help,
Sascha
is working on a reply...