473,320 Members | 2,012 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Cross-Site Scripting...

How can I disable the cross-site scripting check for one particular page of
a site?
Nov 18 '05 #1
7 3874
In the Page directive, insert ValidateRequest="False"

It's set to True by default in v1.1
"Scott M." <s-***@BADSPAMsnet.net> wrote in message
news:uf**************@TK2MSFTNGP09.phx.gbl...
How can I disable the cross-site scripting check for one particular page of a site?

Nov 18 '05 #2
Here's my situation though.

I develop on VS.NET 2002 and upload my project to my web hosting provider
who uses the 1.1 framework.

When I add the validateReqest = "False" directive into my code, it does
nothing because I am compiling against the 1.0 framework.
"George Durzi" <gd****@hotmail.com> wrote in message
news:Oy**************@TK2MSFTNGP10.phx.gbl...
In the Page directive, insert ValidateRequest="False"

It's set to True by default in v1.1
"Scott M." <s-***@BADSPAMsnet.net> wrote in message
news:uf**************@TK2MSFTNGP09.phx.gbl...
How can I disable the cross-site scripting check for one particular page

of
a site?


Nov 18 '05 #3
Hi Scott M,
Thank you for using Microsoft Newsgroup Service. Based on your description,
you're looking for some information on "preventing the Cross-Site
Scripting". This is a security issue which concerned with the client side
browser and data communication with the serverside. It is unlike some other
serverside attributes that can be configured or set simply on serverside.
I've reviewed for some references on this issue, here are some tech
articles in the MS Knowlege base library which
has provided detailed explaination on it:

HOWTO: Prevent Cross-Site Scripting Security Issues View products that this
article applies to.
http://support.microsoft.com/?id=252985

Preventing Internet Explorer and Outlook Express Cross-Site Scripting
Security Issues
http://support.microsoft.com/default...b;EN-US;253117

Please have a look to see whether they help you. If you have any questions
on it, please feel free to let me know.
Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Nov 18 '05 #4
Thanks for your reply. I am aware of what cross-site scripting is and its
potential dangers are. I need to deactivate it for one page only and that
page is password protected.

My application is built using VS.NET 2002 but is being run on a server that
runs the 1.1 framework so when I add the page level ValidateRequest="False",
nothing happens because I am compiling with the 1.0 framework.

Any suggestions how to turn it off for this one page in my circumstance?

Thanks.
"MSFT" <v-******@online.microsoft.com> wrote in message
news:OQ**************@cpmsftngxa07.phx.gbl...
Hi Scott M,
Thank you for using Microsoft Newsgroup Service. Based on your description, you're looking for some information on "preventing the Cross-Site
Scripting". This is a security issue which concerned with the client side
browser and data communication with the serverside. It is unlike some other serverside attributes that can be configured or set simply on serverside.
I've reviewed for some references on this issue, here are some tech
articles in the MS Knowlege base library which
has provided detailed explaination on it:

HOWTO: Prevent Cross-Site Scripting Security Issues View products that this article applies to.
http://support.microsoft.com/?id=252985

Preventing Internet Explorer and Outlook Express Cross-Site Scripting
Security Issues
http://support.microsoft.com/default...b;EN-US;253117

Please have a look to see whether they help you. If you have any questions
on it, please feel free to let me know.
Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Nov 18 '05 #5
Hi Scott M,

Thank you for the prompt response. Yes, the "ValidateRequest" attribute is
used in ASP.NET1.1, in 1.0 you need to manually add custom methods or
machism to implement the cross-site scripting check. So I don't think that
you need to do anything by default? Also, you've mentioned that you've a
certain page which need to disable the cross-scripting check, would you
please provide more information about what you'd like to do on this page
and what's the problem you encountered when run the funcionality on that
page? And here is a weblink for how to implement "cross-site scripting
check" manually in ASP.NET1.0, you may have a look to see whether it'll
provide some ideas.:
http://msdn.microsoft.com/library/en...rotection.asp?
frame=true

In the mean time, I'll do further research on this issue. If you have any
questions or new findings, please feel free to let me know, thanks.
Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Nov 18 '05 #6
Hi Steven,

Thanks for your help. I think you've got my situation backwards. I don't
want to implement a cross-site scripting check in my application. I'm
already getting that functionality (because my application which was written
and compiled in the 1.0 Framework) is running under the 1.1 Framework.

What I need to do is "disable" this inherent cross-site scripting check for
one particular page of mine. I have tried adding the page directive of
validateRequest="false", but this does not disable the check.

I have one page in my site that is password protected to get to which allows
me to (using a DataGrid) modify SQL Server data that is used on a different
page and rendered in a Calendar control. I need to be able to add HTML to
the SQL data, so that when it appears on the calendar, it appears as I want
it to.

I have put a temporary fix in place. Instead of me entering "<" and ">"
characters, I enter "[" and "]" characters and once the form data is
submitted, I convert "[" to "<" and "]" to ">". This works, but it is
clumsy.
"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:HF**************@cpmsftngxa07.phx.gbl...
Hi Scott M,

Thank you for the prompt response. Yes, the "ValidateRequest" attribute is
used in ASP.NET1.1, in 1.0 you need to manually add custom methods or
machism to implement the cross-site scripting check. So I don't think that
you need to do anything by default? Also, you've mentioned that you've a
certain page which need to disable the cross-scripting check, would you
please provide more information about what you'd like to do on this page
and what's the problem you encountered when run the funcionality on that
page? And here is a weblink for how to implement "cross-site scripting
check" manually in ASP.NET1.0, you may have a look to see whether it'll
provide some ideas.:
http://msdn.microsoft.com/library/en...rotection.asp? frame=true

In the mean time, I'll do further research on this issue. If you have any
questions or new findings, please feel free to let me know, thanks.
Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


Nov 18 '05 #7
Hi Scott M,

Thank you for your prompt response. First I'd appologize for
misunderstanding your problem. Now, I've got that you've got a single page
which want to get rid of the "request validate" provided by ASP.NET,yes?
After reviewing the situation you mentioned in the preceding reply. I
thought that the main problem is that your page is compiled under dotnet
framework1.0 and now the enviroment is 1.1. Since in ASP.NET 1.0 there is
no "request validate" for pages, so all the compiled page class(assembly)
didn't have any infomation for this. But because your deplyment enviroment
is 1.1 version, then the ASP.NET runtime will check the page class for the
"validaterequest" information, but it can't find since nothing is set in
1.0, so the ASP.NET runtime use the default setting in the web.config ,if
no setting in the web.config, then use the default setting in the
machine.config, the default value is requestValidate="true". Then you will
encountered the requestvalidate exception such as
------------------------------------------------------------------exception
occured--------------------------------
A potentially dangerous Request.Form value was detected from the client
(txtTagContent="<adfd>").
Description: Request Validation has detected a potentially dangerous client
input value, and processing of the request has been aborted. This value may
indicate an attempt to compromise the security of your application, such as
a cross-site scripting attack. You can disable request validation by
setting validateRequest=false in the Page directive or in the configuration
section. However, it is strongly recommended that your application
explicitly check all inputs in this case.
----------------------------------------------------------------------------
--------------------------------------------

Is the situation I described same as yours? Please let me know if there is
anything different.

If so, here is some of my suggestions:

1. Since the "validateRequest" page attribute could only set for ASP.NET
1.1 's page, do you think it possible that you recompile the page classes
under 1.1 framework?

2. If you it really unconfortable for you to recompile the pages again,
I've another way to workaround this problem. Since the default value of
"validateRequest" can be set in web.config file. We can take advantage of
this feature to set the default value as "false". However, you may think
that it'll cause all the pages having no requestvalidate checking. Yes, but
in ASP.NET web applications there can be more than one web.config files as
long as they are in different folders. So my suggestion is to create a
separate sub folder , and put a certain web.config file particularly for
the subfolder,
For example, my web application's root folder is "MyWebApp", it has some
pages and a web.config file, then, I create another sub folder named
"noncheck" and also provide a web.config file in it. The file structure is
like:

wwwroot/MyWebApp
web.config
...some asp.net pages
/noncheck
singlenocheck.aspx
web.config

the "singlenocheck.aspx" is the page which need no "requestValidate" check.
Then,in the "MyWebApp" folder's web.config file , we set the
requestvalidate as ture,just add this:
<pages
validateRequest="true"/>

in the "noncheck" subfolder's web.config file , we set as below:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>

<system.web>

<pages
validateRequest="false"/>

</system.web>

</configuration>

Thus, when we request the pages in the root folder, the ASP.NET runtime
will have the requestvalidate check, and if we request the
"singlenocheck.aspx" in the "noncheck" folder , it will apply the setting
the subfolder's web.config, it won't check the request data.

Please try the preceding suggestions to see whether they help. If you have
any new findings please also let me know. Thanks.
Merry Christmas!!

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Nov 18 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

12
by: * ProteanThread * | last post by:
but depends upon the clique: ...
3
by: rollasoc | last post by:
Hi, Doing a bit of system testing on a Windows 98 laptop. (.Net 1.1 app). Did a bit of testing. Loaded a previously saved file. A gray box appeared with the text and buttons all white...
4
by: David Peach | last post by:
Hello, hope somebody here can help me... I have a query that lists defects recorded in a user defined date range. That query is then used as the source for a Cross Tab query that cross-tabs count...
23
by: Jeff Rodriguez | last post by:
Here's what I want do: Have a main daemon which starts up several threads in a Boss-Queue structure. From those threads, I want them all to sit and watch a queue. Once an entry goes into the...
8
by: Pieter | last post by:
Hi, I'm having some weird problem using the BackGroundWorker in an Outlook (2003) Add-In, with VB.NET 2005: I'm using the BackGroundWorker to get the info of some mailitems, and after each item...
3
by: jlamanna | last post by:
I was wondering if there was a utility that could tell you when your C# application is making cross-apartment COM calls. I have a fairly large application that makes extensive use of a 3rd party...
1
by: Rob Woodworth | last post by:
Hi, I'm having serious problems getting my report to work. I need to generate a timesheet report which will contain info for one employee between certain dates (one week's worth of dates). I...
6
by: Robert Bravery | last post by:
Hi all, Can some one show me how to achieve a cross product of arrays. So that if I had two arrays (could be any number) with three elements in each (once again could be any number) I would get:...
6
by: Simon | last post by:
Hi All, An experiment i'm doing requires requires a synchronous cross-domain request, without using a proxy. I wondered if anyone had any ideas to help me achieve this. Below is what I have...
6
by: Bart Van der Donck | last post by:
Hello, I'm presenting my new library 'AJAX Cross Domain' - a javascript extension that allows to perform cross-domain AJAX requests. http://www.ajax-cross-domain.com/ Any comments or...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.