By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,030 Members | 1,997 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,030 IT Pros & Developers. It's quick & easy.

XML as a WebService parameter

P: n/a
Hi,
We recently converted a 1.1 project to 2.0 and this included a webservice
which accepted XML for one of the parameters. Since converting to 2.0 I am
getting the following message:
---
A potentially dangerous Request.Form value was detected from the client
(myparam="<root><blah....").
---

The fix used for ASPX pages is to include the @Page directive with
validateRequest="false" however this does not work for ASMX pages ("The
directive 'Page' is unknown").

Does anyone know of a way to turn this off for webservices?

Thanks!

Nov 8 '07 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Hi Bill,

From your description, you have an ASP.NET webservice (asmx endpoint) which
has a webmethod accepting a XML string parameter, and you'll get validation
error when you call the webservice, correct?

regarding on the webservice, I'd like to confirm the following things:

** The xml parameter of your webmethod is of "String" type, correct?

** How are you consuming the webservice, through the asmx page(via http
post) or through a generated client proxy class?

Generally, for XML webserivice, since its underlying message is encoded via
SOAP XML, therefore, we should not directly pass parameter or return value
of raw XML string content. Here is a former blog article which has
mentioend this:

#Rant: Don't return XML in string variables
http://blogs.msdn.com/mpowell/archiv...12/130637.aspx

Also, if you do need to pass XML string content, you can consider the
following means:

** manually perform htmlencoding on it so that all the xml content are in
escaped format

** use a CDATA section to wrapper the xmlstring.

Here is a forum thread discussing on this problem too:

#Passing an XML string as part of an XML Web Service
http://forums.asp.net/p/1064300/1631786.aspx#1631786

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



-------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <Bi********@nospam.nospam>
Subject: XML as a WebService parameter
Date: Thu, 8 Nov 2007 05:43:01 -0800

Hi,
We recently converted a 1.1 project to 2.0 and this included a webservice
which accepted XML for one of the parameters. Since converting to 2.0 I am
getting the following message:
---
A potentially dangerous Request.Form value was detected from the client
(myparam="<root><blah....").
---

The fix used for ASPX pages is to include the @Page directive with
validateRequest="false" however this does not work for ASMX pages ("The
directive 'Page' is unknown").

Does anyone know of a way to turn this off for webservices?

Thanks!
Nov 9 '07 #2

P: n/a
Hi Steven,
The param is of type "string" and the webservice is called via other .net
apps (various methods).

We had this working fine under 1.1 and since the apps are all tightly
controlled, passing in an XML string was acceptable. Is this a consequence of
moving to 2.0? Do you know if it can be turned off?

Thanks.

"Steven Cheng[MSFT]" wrote:
Hi Bill,

From your description, you have an ASP.NET webservice (asmx endpoint) which
has a webmethod accepting a XML string parameter, and you'll get validation
error when you call the webservice, correct?

regarding on the webservice, I'd like to confirm the following things:

** The xml parameter of your webmethod is of "String" type, correct?

** How are you consuming the webservice, through the asmx page(via http
post) or through a generated client proxy class?

Generally, for XML webserivice, since its underlying message is encoded via
SOAP XML, therefore, we should not directly pass parameter or return value
of raw XML string content. Here is a former blog article which has
mentioend this:

#Rant: Don't return XML in string variables
http://blogs.msdn.com/mpowell/archiv...12/130637.aspx

Also, if you do need to pass XML string content, you can consider the
following means:

** manually perform htmlencoding on it so that all the xml content are in
escaped format

** use a CDATA section to wrapper the xmlstring.

Here is a forum thread discussing on this problem too:

#Passing an XML string as part of an XML Web Service
http://forums.asp.net/p/1064300/1631786.aspx#1631786

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



-------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <Bi********@nospam.nospam>
Subject: XML as a WebService parameter
Date: Thu, 8 Nov 2007 05:43:01 -0800

Hi,
We recently converted a 1.1 project to 2.0 and this included a webservice
which accepted XML for one of the parameters. Since converting to 2.0 I am
getting the following message:
---
A potentially dangerous Request.Form value was detected from the client
(myparam="<root><blah....").
---

The fix used for ASPX pages is to include the @Page directive with
validateRequest="false" however this does not work for ASMX pages ("The
directive 'Page' is unknown").

Does anyone know of a way to turn this off for webservices?

Thanks!

Nov 9 '07 #3

P: n/a
Hi,
Is it possible to turn off the parameter validation for a webservice? We
could pass in XML as a parameter in 1.1 but not in 2.0. These are all
internal apps and the incoming parameter poses much less of a security risk
than normal.

Thanks.

"BillAtWork" wrote:
Hi Steven,
The param is of type "string" and the webservice is called via other .net
apps (various methods).

We had this working fine under 1.1 and since the apps are all tightly
controlled, passing in an XML string was acceptable. Is this a consequence of
moving to 2.0? Do you know if it can be turned off?

Thanks.

"Steven Cheng[MSFT]" wrote:
Hi Bill,

From your description, you have an ASP.NET webservice (asmx endpoint) which
has a webmethod accepting a XML string parameter, and you'll get validation
error when you call the webservice, correct?

regarding on the webservice, I'd like to confirm the following things:

** The xml parameter of your webmethod is of "String" type, correct?

** How are you consuming the webservice, through the asmx page(via http
post) or through a generated client proxy class?

Generally, for XML webserivice, since its underlying message is encoded via
SOAP XML, therefore, we should not directly pass parameter or return value
of raw XML string content. Here is a former blog article which has
mentioend this:

#Rant: Don't return XML in string variables
http://blogs.msdn.com/mpowell/archiv...12/130637.aspx

Also, if you do need to pass XML string content, you can consider the
following means:

** manually perform htmlencoding on it so that all the xml content are in
escaped format

** use a CDATA section to wrapper the xmlstring.

Here is a forum thread discussing on this problem too:

#Passing an XML string as part of an XML Web Service
http://forums.asp.net/p/1064300/1631786.aspx#1631786

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



-------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <Bi********@nospam.nospam>
Subject: XML as a WebService parameter
Date: Thu, 8 Nov 2007 05:43:01 -0800

Hi,
We recently converted a 1.1 project to 2.0 and this included a webservice
which accepted XML for one of the parameters. Since converting to 2.0 I am
getting the following message:
---
A potentially dangerous Request.Form value was detected from the client
(myparam="<root><blah....").
---

The fix used for ASPX pages is to include the @Page directive with
validateRequest="false" however this does not work for ASMX pages ("The
directive 'Page' is unknown").

Does anyone know of a way to turn this off for webservices?

Thanks!
Nov 12 '07 #4

P: n/a
Hi Bill,

So are you calling the webservice through http POST or a client proxy
class? BTW, I've tried using a soap client proxy to call webservice and
input some string paramter(contains html markup), it doesn't raise such
exception. Would let me know your client type and the a simple text snippet
that can cause the problem?

So far what I can find is the <pages validateRequest= ... /setting in
web.config which is a global one for web pages. There is no dedicated
validation setting for webservice asmx endpoint.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <Bi********@nospam.nospam>
Subject: RE: XML as a WebService parameter
Date: Mon, 12 Nov 2007 01:05:02 -0800
Hi,
Is it possible to turn off the parameter validation for a webservice? We
could pass in XML as a parameter in 1.1 but not in 2.0. These are all
internal apps and the incoming parameter poses much less of a security risk
than normal.

Thanks.

"BillAtWork" wrote:
Hi Steven,
The param is of type "string" and the webservice is called via other .net
apps (various methods).

We had this working fine under 1.1 and since the apps are all tightly
controlled, passing in an XML string was acceptable. Is this a
consequence of
moving to 2.0? Do you know if it can be turned off?

Thanks.

"Steven Cheng[MSFT]" wrote:
Hi Bill,

From your description, you have an ASP.NET webservice (asmx endpoint)
which
has a webmethod accepting a XML string parameter, and you'll get
validation
error when you call the webservice, correct?

regarding on the webservice, I'd like to confirm the following things:

** The xml parameter of your webmethod is of "String" type, correct?

** How are you consuming the webservice, through the asmx page(via http
post) or through a generated client proxy class?

Generally, for XML webserivice, since its underlying message is encoded
via
SOAP XML, therefore, we should not directly pass parameter or return
value
of raw XML string content. Here is a former blog article which has
mentioend this:

#Rant: Don't return XML in string variables
http://blogs.msdn.com/mpowell/archiv...12/130637.aspx

Also, if you do need to pass XML string content, you can consider the
following means:

** manually perform htmlencoding on it so that all the xml content are
in
escaped format

** use a CDATA section to wrapper the xmlstring.

Here is a forum thread discussing on this problem too:

#Passing an XML string as part of an XML Web Service
http://forums.asp.net/p/1064300/1631786.aspx#1631786

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each
follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach
the
most efficient resolution. The offering is not appropriate for
situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are
best
handled working with a dedicated Microsoft Support Engineer by
contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.



-------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <Bi********@nospam.nospam>
Subject: XML as a WebService parameter
Date: Thu, 8 Nov 2007 05:43:01 -0800

Hi,
We recently converted a 1.1 project to 2.0 and this included a
webservice
which accepted XML for one of the parameters. Since converting to 2.0 I
am
getting the following message:
---
A potentially dangerous Request.Form value was detected from the client
(myparam="<root><blah....").
---

The fix used for ASPX pages is to include the @Page directive with
validateRequest="false" however this does not work for ASMX pages ("The
directive 'Page' is unknown").

Does anyone know of a way to turn this off for webservices?

Thanks!
Nov 13 '07 #5

This discussion thread is closed

Replies have been disabled for this discussion.