473,549 Members | 3,128 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Cross-Site Scripting...

How can I disable the cross-site scripting check for one particular page of
a site?
Nov 18 '05 #1
7 3897
In the Page directive, insert ValidateRequest ="False"

It's set to True by default in v1.1
"Scott M." <s-***@BADSPAMsnet .net> wrote in message
news:uf******** ******@TK2MSFTN GP09.phx.gbl...
How can I disable the cross-site scripting check for one particular page of a site?

Nov 18 '05 #2
Here's my situation though.

I develop on VS.NET 2002 and upload my project to my web hosting provider
who uses the 1.1 framework.

When I add the validateReqest = "False" directive into my code, it does
nothing because I am compiling against the 1.0 framework.
"George Durzi" <gd****@hotmail .com> wrote in message
news:Oy******** ******@TK2MSFTN GP10.phx.gbl...
In the Page directive, insert ValidateRequest ="False"

It's set to True by default in v1.1
"Scott M." <s-***@BADSPAMsnet .net> wrote in message
news:uf******** ******@TK2MSFTN GP09.phx.gbl...
How can I disable the cross-site scripting check for one particular page

of
a site?


Nov 18 '05 #3
Hi Scott M,
Thank you for using Microsoft Newsgroup Service. Based on your description,
you're looking for some information on "preventing the Cross-Site
Scripting". This is a security issue which concerned with the client side
browser and data communication with the serverside. It is unlike some other
serverside attributes that can be configured or set simply on serverside.
I've reviewed for some references on this issue, here are some tech
articles in the MS Knowlege base library which
has provided detailed explaination on it:

HOWTO: Prevent Cross-Site Scripting Security Issues View products that this
article applies to.
http://support.microsoft.com/?id=252985

Preventing Internet Explorer and Outlook Express Cross-Site Scripting
Security Issues
http://support.microsoft.com/default...b;EN-US;253117

Please have a look to see whether they help you. If you have any questions
on it, please feel free to let me know.
Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Nov 18 '05 #4
Thanks for your reply. I am aware of what cross-site scripting is and its
potential dangers are. I need to deactivate it for one page only and that
page is password protected.

My application is built using VS.NET 2002 but is being run on a server that
runs the 1.1 framework so when I add the page level ValidateRequest ="False",
nothing happens because I am compiling with the 1.0 framework.

Any suggestions how to turn it off for this one page in my circumstance?

Thanks.
"MSFT" <v-******@online.m icrosoft.com> wrote in message
news:OQ******** ******@cpmsftng xa07.phx.gbl...
Hi Scott M,
Thank you for using Microsoft Newsgroup Service. Based on your description, you're looking for some information on "preventing the Cross-Site
Scripting". This is a security issue which concerned with the client side
browser and data communication with the serverside. It is unlike some other serverside attributes that can be configured or set simply on serverside.
I've reviewed for some references on this issue, here are some tech
articles in the MS Knowlege base library which
has provided detailed explaination on it:

HOWTO: Prevent Cross-Site Scripting Security Issues View products that this article applies to.
http://support.microsoft.com/?id=252985

Preventing Internet Explorer and Outlook Express Cross-Site Scripting
Security Issues
http://support.microsoft.com/default...b;EN-US;253117

Please have a look to see whether they help you. If you have any questions
on it, please feel free to let me know.
Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Nov 18 '05 #5
Hi Scott M,

Thank you for the prompt response. Yes, the "ValidateReques t" attribute is
used in ASP.NET1.1, in 1.0 you need to manually add custom methods or
machism to implement the cross-site scripting check. So I don't think that
you need to do anything by default? Also, you've mentioned that you've a
certain page which need to disable the cross-scripting check, would you
please provide more information about what you'd like to do on this page
and what's the problem you encountered when run the funcionality on that
page? And here is a weblink for how to implement "cross-site scripting
check" manually in ASP.NET1.0, you may have a look to see whether it'll
provide some ideas.:
http://msdn.microsoft.com/library/en...rotection.asp?
frame=true

In the mean time, I'll do further research on this issue. If you have any
questions or new findings, please feel free to let me know, thanks.
Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Nov 18 '05 #6
Hi Steven,

Thanks for your help. I think you've got my situation backwards. I don't
want to implement a cross-site scripting check in my application. I'm
already getting that functionality (because my application which was written
and compiled in the 1.0 Framework) is running under the 1.1 Framework.

What I need to do is "disable" this inherent cross-site scripting check for
one particular page of mine. I have tried adding the page directive of
validateRequest ="false", but this does not disable the check.

I have one page in my site that is password protected to get to which allows
me to (using a DataGrid) modify SQL Server data that is used on a different
page and rendered in a Calendar control. I need to be able to add HTML to
the SQL data, so that when it appears on the calendar, it appears as I want
it to.

I have put a temporary fix in place. Instead of me entering "<" and ">"
characters, I enter "[" and "]" characters and once the form data is
submitted, I convert "[" to "<" and "]" to ">". This works, but it is
clumsy.
"Steven Cheng[MSFT]" <v-******@online.m icrosoft.com> wrote in message
news:HF******** ******@cpmsftng xa07.phx.gbl...
Hi Scott M,

Thank you for the prompt response. Yes, the "ValidateReques t" attribute is
used in ASP.NET1.1, in 1.0 you need to manually add custom methods or
machism to implement the cross-site scripting check. So I don't think that
you need to do anything by default? Also, you've mentioned that you've a
certain page which need to disable the cross-scripting check, would you
please provide more information about what you'd like to do on this page
and what's the problem you encountered when run the funcionality on that
page? And here is a weblink for how to implement "cross-site scripting
check" manually in ASP.NET1.0, you may have a look to see whether it'll
provide some ideas.:
http://msdn.microsoft.com/library/en...rotection.asp? frame=true

In the mean time, I'll do further research on this issue. If you have any
questions or new findings, please feel free to let me know, thanks.
Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


Nov 18 '05 #7
Hi Scott M,

Thank you for your prompt response. First I'd appologize for
misunderstandin g your problem. Now, I've got that you've got a single page
which want to get rid of the "request validate" provided by ASP.NET,yes?
After reviewing the situation you mentioned in the preceding reply. I
thought that the main problem is that your page is compiled under dotnet
framework1.0 and now the enviroment is 1.1. Since in ASP.NET 1.0 there is
no "request validate" for pages, so all the compiled page class(assembly)
didn't have any infomation for this. But because your deplyment enviroment
is 1.1 version, then the ASP.NET runtime will check the page class for the
"validatereques t" information, but it can't find since nothing is set in
1.0, so the ASP.NET runtime use the default setting in the web.config ,if
no setting in the web.config, then use the default setting in the
machine.config, the default value is requestValidate ="true". Then you will
encountered the requestvalidate exception such as
------------------------------------------------------------------exception
occured--------------------------------
A potentially dangerous Request.Form value was detected from the client
(txtTagContent= "<adfd>").
Description: Request Validation has detected a potentially dangerous client
input value, and processing of the request has been aborted. This value may
indicate an attempt to compromise the security of your application, such as
a cross-site scripting attack. You can disable request validation by
setting validateRequest =false in the Page directive or in the configuration
section. However, it is strongly recommended that your application
explicitly check all inputs in this case.
----------------------------------------------------------------------------
--------------------------------------------

Is the situation I described same as yours? Please let me know if there is
anything different.

If so, here is some of my suggestions:

1. Since the "validateReques t" page attribute could only set for ASP.NET
1.1 's page, do you think it possible that you recompile the page classes
under 1.1 framework?

2. If you it really unconfortable for you to recompile the pages again,
I've another way to workaround this problem. Since the default value of
"validateReques t" can be set in web.config file. We can take advantage of
this feature to set the default value as "false". However, you may think
that it'll cause all the pages having no requestvalidate checking. Yes, but
in ASP.NET web applications there can be more than one web.config files as
long as they are in different folders. So my suggestion is to create a
separate sub folder , and put a certain web.config file particularly for
the subfolder,
For example, my web application's root folder is "MyWebApp", it has some
pages and a web.config file, then, I create another sub folder named
"noncheck" and also provide a web.config file in it. The file structure is
like:

wwwroot/MyWebApp
web.config
...some asp.net pages
/noncheck
singlenocheck.a spx
web.config

the "singlenocheck. aspx" is the page which need no "requestValidat e" check.
Then,in the "MyWebApp" folder's web.config file , we set the
requestvalidate as ture,just add this:
<pages
validateRequest ="true"/>

in the "noncheck" subfolder's web.config file , we set as below:
<?xml version="1.0" encoding="utf-8" ?>
<configuratio n>

<system.web>

<pages
validateRequest ="false"/>

</system.web>

</configuration>

Thus, when we request the pages in the root folder, the ASP.NET runtime
will have the requestvalidate check, and if we request the
"singlenocheck. aspx" in the "noncheck" folder , it will apply the setting
the subfolder's web.config, it won't check the request data.

Please try the preceding suggestions to see whether they help. If you have
any new findings please also let me know. Thanks.
Merry Christmas!!

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Nov 18 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

12
3846
by: * ProteanThread * | last post by:
but depends upon the clique: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=954drf%24oca%241%40agate.berkeley.edu&rnum=2&prev=/groups%3Fq%3D%2522cross%2Bposting%2Bversus%2Bmulti%2Bposting%2522%26ie%3DUTF-8%26oe%3DUTF-8%26hl%3Den ...
3
3082
by: rollasoc | last post by:
Hi, Doing a bit of system testing on a Windows 98 laptop. (.Net 1.1 app). Did a bit of testing. Loaded a previously saved file. A gray box appeared with the text and buttons all white rectangles with a big red cross in it. Pressed a button (the one I thought might be ok). My file appeared to load. Then when I clicked on any...
4
5562
by: David Peach | last post by:
Hello, hope somebody here can help me... I have a query that lists defects recorded in a user defined date range. That query is then used as the source for a Cross Tab query that cross-tabs count of defect type by calendar month. Defect types are stored in one table, defect transactions in another along with date etc. When I cross-tab the...
23
6490
by: Jeff Rodriguez | last post by:
Here's what I want do: Have a main daemon which starts up several threads in a Boss-Queue structure. From those threads, I want them all to sit and watch a queue. Once an entry goes into the queue, grab it and run a system command. Now I want to make sure that system command doesn't hang forever, so I need some way to kill the command...
8
4837
by: Pieter | last post by:
Hi, I'm having some weird problem using the BackGroundWorker in an Outlook (2003) Add-In, with VB.NET 2005: I'm using the BackGroundWorker to get the info of some mailitems, and after each item I want to raise the ProgressChanged-event to update the DataGridView. It works fine when only one Progresschanged is fired, but at the second,...
3
2323
by: jlamanna | last post by:
I was wondering if there was a utility that could tell you when your C# application is making cross-apartment COM calls. I have a fairly large application that makes extensive use of a 3rd party object system that is exposed to .NET through COM, and I'm really trying to avoid slow cross-apartment calls. Also, is using Invoke() on a class...
1
2752
by: Rob Woodworth | last post by:
Hi, I'm having serious problems getting my report to work. I need to generate a timesheet report which will contain info for one employee between certain dates (one week's worth of dates). I have a table containing records for each job done, the records contain date, employee name, job done (a code representing the type of job), cost code...
6
13146
by: Robert Bravery | last post by:
Hi all, Can some one show me how to achieve a cross product of arrays. So that if I had two arrays (could be any number) with three elements in each (once again could be any number) I would get: the two arrays {"one","two","three"},{"red","green","blue} the result one red one green
6
8605
by: Simon | last post by:
Hi All, An experiment i'm doing requires requires a synchronous cross-domain request, without using a proxy. I wondered if anyone had any ideas to help me achieve this. Below is what I have tried, including my conclusions/assumptions (which i'll happily be corrected on if it solves my problem!): The requirement not to use a proxy means...
6
5464
by: Bart Van der Donck | last post by:
Hello, I'm presenting my new library 'AJAX Cross Domain' - a javascript extension that allows to perform cross-domain AJAX requests. http://www.ajax-cross-domain.com/ Any comments or suggestions are welcome. --
0
7520
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7446
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7718
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
7956
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
0
7809
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
1
5368
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5088
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3498
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
0
763
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.