XML as a WebService parameter

Hi Bill,

From your description, you have an ASP.NET webservice (asmx endpoint) which
has a webmethod accepting a XML string parameter, and you'll get validation
error when you call the webservice, correct?

regarding on the webservice, I'd like to confirm the following things:

** The xml parameter of your webmethod is of "String" type, correct?

** How are you consuming the webservice, through the asmx page(via http
post) or through a generated client proxy class?

Generally, for XML webserivice, since its underlying message is encoded via
SOAP XML, therefore, we should not directly pass parameter or return value
of raw XML string content. Here is a former blog article which has
mentioend this:

#Rant: Don't return XML in string variables
http://blogs.msdn.com/mpowell/archiv...12/130637.aspx

Also, if you do need to pass XML string content, you can consider the
following means:

** manually perform htmlencoding on it so that all the xml content are in
escaped format

** use a CDATA section to wrapper the xmlstring.

Here is a forum thread discussing on this problem too:

#Passing an XML string as part of an XML Web Service
http://forums.asp.net/p/1064300/1631786.aspx#1631786

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



-------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <Bi********@nospam.nospam>
Subject: XML as a WebService parameter
Date: Thu, 8 Nov 2007 05:43:01 -0800

Hi,
We recently converted a 1.1 project to 2.0 and this included a webservice
which accepted XML for one of the parameters. Since converting to 2.0 I am
getting the following message:
---
A potentially dangerous Request.Form value was detected from the client
(myparam="<root><blah....").
---

The fix used for ASPX pages is to include the @Page directive with
validateRequest="false" however this does not work for ASMX pages ("The
directive 'Page' is unknown").

Does anyone know of a way to turn this off for webservices?

Thanks!

Hi Steven,
The param is of type "string" and the webservice is called via other .net
apps (various methods).

We had this working fine under 1.1 and since the apps are all tightly
controlled, passing in an XML string was acceptable. Is this a consequence of
moving to 2.0? Do you know if it can be turned off?

Thanks.

"Steven Cheng[MSFT]" wrote:

Hi Bill,

From your description, you have an ASP.NET webservice (asmx endpoint) which
has a webmethod accepting a XML string parameter, and you'll get validation
error when you call the webservice, correct?

regarding on the webservice, I'd like to confirm the following things:

** The xml parameter of your webmethod is of "String" type, correct?

** How are you consuming the webservice, through the asmx page(via http
post) or through a generated client proxy class?

Generally, for XML webserivice, since its underlying message is encoded via
SOAP XML, therefore, we should not directly pass parameter or return value
of raw XML string content. Here is a former blog article which has
mentioend this:

#Rant: Don't return XML in string variables
http://blogs.msdn.com/mpowell/archiv...12/130637.aspx

Also, if you do need to pass XML string content, you can consider the
following means:

** manually perform htmlencoding on it so that all the xml content are in
escaped format

** use a CDATA section to wrapper the xmlstring.

Here is a forum thread discussing on this problem too:

#Passing an XML string as part of an XML Web Service
http://forums.asp.net/p/1064300/1631786.aspx#1631786

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



-------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <Bi********@nospam.nospam>
Subject: XML as a WebService parameter
Date: Thu, 8 Nov 2007 05:43:01 -0800

Hi,
We recently converted a 1.1 project to 2.0 and this included a webservice
which accepted XML for one of the parameters. Since converting to 2.0 I am
getting the following message:
---
A potentially dangerous Request.Form value was detected from the client
(myparam="<root><blah....").
---

The fix used for ASPX pages is to include the @Page directive with
validateRequest="false" however this does not work for ASMX pages ("The
directive 'Page' is unknown").

Does anyone know of a way to turn this off for webservices?

Thanks!

Hi,
Is it possible to turn off the parameter validation for a webservice? We
could pass in XML as a parameter in 1.1 but not in 2.0. These are all
internal apps and the incoming parameter poses much less of a security risk
than normal.

Thanks.

"BillAtWork" wrote:

Hi Steven,
The param is of type "string" and the webservice is called via other .net
apps (various methods).

We had this working fine under 1.1 and since the apps are all tightly
controlled, passing in an XML string was acceptable. Is this a consequence of
moving to 2.0? Do you know if it can be turned off?

Thanks.

"Steven Cheng[MSFT]" wrote:

Hi Bill,

From your description, you have an ASP.NET webservice (asmx endpoint) which
has a webmethod accepting a XML string parameter, and you'll get validation
error when you call the webservice, correct?

regarding on the webservice, I'd like to confirm the following things:

** The xml parameter of your webmethod is of "String" type, correct?

** How are you consuming the webservice, through the asmx page(via http
post) or through a generated client proxy class?

Generally, for XML webserivice, since its underlying message is encoded via
SOAP XML, therefore, we should not directly pass parameter or return value
of raw XML string content. Here is a former blog article which has
mentioend this:

#Rant: Don't return XML in string variables
http://blogs.msdn.com/mpowell/archiv...12/130637.aspx

Also, if you do need to pass XML string content, you can consider the
following means:

** manually perform htmlencoding on it so that all the xml content are in
escaped format

** use a CDATA section to wrapper the xmlstring.

Here is a forum thread discussing on this problem too:

#Passing an XML string as part of an XML Web Service
http://forums.asp.net/p/1064300/1631786.aspx#1631786

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



-------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <Bi********@nospam.nospam>
Subject: XML as a WebService parameter
Date: Thu, 8 Nov 2007 05:43:01 -0800

Hi,
We recently converted a 1.1 project to 2.0 and this included a webservice
which accepted XML for one of the parameters. Since converting to 2.0 I am
getting the following message:
---
A potentially dangerous Request.Form value was detected from the client
(myparam="<root><blah....").
---

The fix used for ASPX pages is to include the @Page directive with
validateRequest="false" however this does not work for ASMX pages ("The
directive 'Page' is unknown").

Does anyone know of a way to turn this off for webservices?

Thanks!

Hi Bill,

So are you calling the webservice through http POST or a client proxy
class? BTW, I've tried using a soap client proxy to call webservice and
input some string paramter(contains html markup), it doesn't raise such
exception. Would let me know your client type and the a simple text snippet
that can cause the problem?

So far what I can find is the <pages validateRequest= ... /setting in
web.config which is a global one for web pages. There is no dedicated
validation setting for webservice asmx endpoint.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <Bi********@nospam.nospam>
Subject: RE: XML as a WebService parameter
Date: Mon, 12 Nov 2007 01:05:02 -0800
Hi,
Is it possible to turn off the parameter validation for a webservice? We
could pass in XML as a parameter in 1.1 but not in 2.0. These are all
internal apps and the incoming parameter poses much less of a security risk
than normal.

Thanks.

"BillAtWork" wrote:

Hi Steven,
The param is of type "string" and the webservice is called via other .net
apps (various methods).

We had this working fine under 1.1 and since the apps are all tightly
controlled, passing in an XML string was acceptable. Is this a

consequence of

moving to 2.0? Do you know if it can be turned off?

Thanks.

"Steven Cheng[MSFT]" wrote:

Hi Bill,

From your description, you have an ASP.NET webservice (asmx endpoint)

which

has a webmethod accepting a XML string parameter, and you'll get

validation

error when you call the webservice, correct?

regarding on the webservice, I'd like to confirm the following things:

** The xml parameter of your webmethod is of "String" type, correct?

** How are you consuming the webservice, through the asmx page(via http
post) or through a generated client proxy class?

Generally, for XML webserivice, since its underlying message is encoded

via

SOAP XML, therefore, we should not directly pass parameter or return

value

of raw XML string content. Here is a former blog article which has
mentioend this:

#Rant: Don't return XML in string variables
http://blogs.msdn.com/mpowell/archiv...12/130637.aspx

Also, if you do need to pass XML string content, you can consider the
following means:

** manually perform htmlencoding on it so that all the xml content are

in

escaped format

** use a CDATA section to wrapper the xmlstring.

Here is a forum thread discussing on this problem too:

#Passing an XML string as part of an XML Web Service
http://forums.asp.net/p/1064300/1631786.aspx#1631786

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscripti...ult.aspx#notif

ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent

issues

where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each

follow

up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach

the

most efficient resolution. The offering is not appropriate for

situations

that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are

best

handled working with a dedicated Microsoft Support Engineer by

contacting

Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no

rights.

-------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <Bi********@nospam.nospam>
Subject: XML as a WebService parameter
Date: Thu, 8 Nov 2007 05:43:01 -0800

Hi,
We recently converted a 1.1 project to 2.0 and this included a

webservice

which accepted XML for one of the parameters. Since converting to 2.0 I

am

getting the following message:
---
A potentially dangerous Request.Form value was detected from the client
(myparam="<root><blah....").
---

The fix used for ASPX pages is to include the @Page directive with
validateRequest="false" however this does not work for ASMX pages ("The
directive 'Page' is unknown").

Does anyone know of a way to turn this off for webservices?

Thanks!