To prevent a HttpRequestValidationException I httpEncode (using a javascript library) my input to send it to the server, where it is httpencoded again and stored. Then process it reversed to get it back, with an extra encode added if it's going into a label.
This seems to work fine but I get a HttpRequestValidationException if I put a single quote into my textbox. The httpEncode changes this to a ' which seems to be what it triggering the validation error. Is there a workaround? I can't afford to turn off page validation at the page level. Also, is this error likely to occur for other characters I haven't yet discovered?
Seems odd that it would choose that as potentially dangerous, when <html> produces no validation problem. Also " encodes to " without a problem.
I've encountered the same problem. Amazing how difficult it is to fix this one.
I've ended up using javascript to replace my apostrophes with a token that I re-replace on the server. I'm posting my code snips below, but these are pretty specific to my situation.
Javascript (Client):
convertedString = originalString.replace(/\'/g, '&apos2;');
ASP.NET (Server):
originalString = HttpUtility.HtmlDecode(
HttpUtility.HtmlDecode(convertedString)
).Replace("&apos2;", "'");
Related
I've been told by support to write here, so:
I'm using the "useradd" endpoint to add users for my app. However, after the user is successfully created, the token I'm getting does not actually work.
Weirdly enough I can see it in the dashboard, but shortly after I try using it on the client JS code, it disappears from there.
Seems like some sort of weird bug to me, but not sure. 🤷‍♂️
Also: When I either regenerate the token on the dashboard by hand before trying it, or add it after it disappears, that one would work.
Post your code and how you are generating token. Whatever unique string you use for generating token MUST also be used when you call setAppName
Read tutorials here https://mesibo.com/documentation/tutorials/get-started/first-app/
Turns out if was because the backend normalises whatever app id I use.
So "GoneWithTheWind" becomes "gonewiththewind", and hence if you use "GoneWithTheWind" in the JS setAppName call, it won't work.
(And your token will disappear for some reason as well.)
Leading- and trailing whitespaces are stripped as well.
Also, numeric "app id" is fine, just make sure that it's used as a string in the JS code, so for example: setAppName("4567").
I am supposed to use the regularExpressionValidator to verify a ZIP code for a basic webpage I'm making. If the Zip code is valid, the submit button's click event procedure should display the message "Your ZIP code is" followed by the ZIP code and a period.
I don't know how to do an "if" statement to check to see if the zip is valid or not
**Why does the value = 0 when I enter 60611-3456
...don't know how to do an "if" statement...
You were assigned to use a RegularExpressionValidator, and this sounds like homework. If so, it also sounds like the purpose of the assignment is to make this happen without writing any if statements at all.
The validator controls have a feature where a postback event will not occur if validation fails. You use a correct regular expression with a correctly configured validator control, and the code that shows the "Your zip code is..." message will never run. Configuring the validator control is the point of the assignment; you need to do that part on your own. But finding an acceptable regular expression is a distraction from the real learning, and so I don't mind just giving that to you:
^\d{5}(-\d{4})?$
The issue is that your regular expression indicates the four digits must exist if you have the dash. Generally that would be okay but since you're using an input mask the dash always exists, even when it's only five digits. Try the following expression.
ValidationExpression="\d{5}-?(\d{4})?$"
Hope it helps.
2nd in an occasional series:
Here's the first one
Is CAT.NET correct that the following is a genuine vulnerability in ASP.NET or is it a false positive?
var myInt = Int32.Parse(txtUserInput.Text);
Response.Redirect(string.Format("myPage.aspx?myId={0}", myInt);
CAT.NET is reporting this as a redirect vulnerability needing remediation via encoding myInt.
I wouldn't call that dangerous but its not how I would write it myself
int myInt;
if(Int32.TryParse(txtUserInput.Text,out myInt)){
Response.Redirect(string.Format("myPage.aspx?myId={0}", myInt);
}
Is to my mind cleaner as it wont throw an exception if the parse fails due to bad user input and we are explicitly typing the int.
Any error handling code can be bundled into an else statement on the end.
I don't believe so, it could cause an exception so TryParse might be a better approach. It's just yelling because you are taking user input and redirecting based on it. It's possibly being a little too aggressive which isn't exactly bad.
There is no exploitable vulnerability as a result of this code. Any vulnerability would be a result of what myPage.aspx does with the value of myId, not how your url is built. Anyone could just as easily directly hit myPage.aspx with anything they want in the querystring.
However this is bad practice, assuming that you haven't left anything out of the code between those two lines. You should verify that txtUserInput.Text contains only numeric characters, and falls within allowable values.
Exploits happen because of improper parsing of user-supplied data by the page it's posted to -- not improper generating of URLs. While it's a good idea to try to make sure your web site won't write a broken URL because of something that's put in a form, input validation at the front-end is irrelevant to security. All that matters is what the code that accepts the input does with it, since any post or query string can be forged.
I have a query string parameter value that contains an ampersand. For example, a valid value for the parameter may be:
a & b
When I generate the URL that contains the parameter, I'm using System.Web.HTTPUtility.UrlEncode() to make each element URL-friendly. It's (correctly) giving me a URL like:
http://example.com/foo?bar=a+%26b
The problem is that ASP.NET's Request object is interpreting the (encoded) ampersand as a Query String parameter delimiter, and is thus splitting my value into 2 parts (the first has "bar" as the parameter name; the second has a null name).
It appears that ASP.NET is URL-decoding the URL first and then using that when parsing the query string.
What's the best way to work around this?
UPDATE: The problem hinges on URLRewriter (a third-party plugin) and not ASP.NET itself. I've changed the title to reflect this, but I'll leave the rest of the question text as-is until I find out more about the problem.
man,
i am with you in the same boat, i have spent like hours and hours trying to figure out what is the problem, and as you said it is a bug in both, as normal links that contain weird characters or UTF-8 code characters are parsed fine by asp.net.
i think we have to switch to MVC.routing
Update: man you wont believe it, i have found the problem it is so strange, it is with IIS,
try to launch your page from visual studio Dev server and Unicode characters will be parsed just fine, but if you launch the page from IIS 7 it will give you the ???? characters.
hope some body will shade some light here
I would have thought that %26 and '&' mean exactly the same thing to the web server, so its the expected behavior. Urlencode is for encoding URLs, not encoding query strings.
... hang on ...
Try searching for abc&def in google, you'll get:
http://www.google.com.au/search?q=abc%26def
So your query string is correct, %26 is a literal ampersand. Hmm you're right, sounds like a bug. How do you go with an & instead of the %26 ?
Interesting reading:
http://www.stylusstudio.com/xsllist/200104/post11060.html
Switching to UrlRewritingNet.UrlRewrite did not help, as it apparently has the same bug. I'm thinking it might have something to do with ASP.NET after all.
I think URLRewriter has a problem with nameless parameters (null name).
I had a similar problem. When I gave my nameless parameter a (dummy) name, everything worked as expected.
I'm in an ASP.NET UserControl. When I type Control-K, Control-D to reformat all the markup, I get a series of messages from VS 2008:
"Could not reformat the document. The original format was restored."
"Could not complete the action."
"The operation could not be completed. The parameter is incorrect."
Anybody know what causes this?
Edit: OK, that is just...weird.
The problem is here:
<asp:TableCell>
<asp:Button Text="Cancel" runat="server" ID="lnkCancel" CssClass="CellSingleItem" />
</asp:TableCell>
Somehow that asp:Button line is causing the problem. But if I delete any individual attribute, the formatting works. Or if I add a new attribute, the formatting works. Or if I change the tag to be non-self-closing, it works. But if I undo and leave it as-is, it doesn't work.
All I can figure is that this is some sort of really obscure, bizarre bug.
There's probably some malformed markup somewhere in your document. Have you tried it on a fresh document?
Did get the problem today.
My solution: Restart Visual Studio
Usually this sort of behavior is caused by invalid code. It may only be invalid HTML causing it which would still allow the program to be compiled.
For example, if tags are mismatched like this the IDE cannot reformat it.
<div><h1>My Title</div></h1
Check your warnings to see if there are any entries pointing towards mismatched or unclosed tags.
For me, it's usually as issue with whitespace. To fix it, I open Find and Replace (CTRL+H), set Look in to "Current Document", check Use and select "Regular expressions". For Find what I enter ":b|\n" (minus quotes), and for Replace with I enter a single space. Then I click Replace All.
The steps above will replace all whitespace—including line breaks—with a single space, and the next time you format the document, you shouldn't get any errors. That is assuming you don't have malformed HTML.
select the entire suspicious codes segments and use Ctrl+k,Ctrl+F to format only the selected segments instead of whole document .
this way you can find the exact place of problems specially not closed or inappropriate closed tags and fix them .
after all scanning segment by segment is done you can format the whole document for sure
My problem was an extra ". Look carefully the html.
I encountered this for the first time a few weeks ago. I found it was down to invalid HTML. I had to cut out sections of content and paste it back in a little at a time to track down the problem.
For me, I had some bogus characters in my markup code. I only found this out by copy and pasting all my text into Notepad. After that, I saw the bogus characters (showed up as little squares). I just deleted those lines and retyped them and now everything is ok.
I had an unwanted semi-colon. But you may have quote ('), double quote ("), semi-colon (;) or any special character.
So, editing my answer with more details and a screenshot because it still very active.
Go to that line by double clicking the error and search for the extra (unwanted) quote ('), double quote ("), semi-colon (;) or any special character. Remove it because it is causing the error.
Just to add some more information. This issue is caused due to some invalid markup in html.
It won't cause any blocking while running the application.
Unfortunately the solutions mentioned here did not work for me.
1. Restarting visual studio
2. Replacing spaces using regex etc
The best solution to fix the issue is to go to the specific line where the issue is caused and check that line for any invalid symbols like , or ". Just remove it and it will work fine.
My issue is extra " in the value of html attribute, After removing this it is working fine for me.