You must Sign In to post a response.
  • Category: ASP.NET

    Potentially dangerous Request

    I created web page where user can fill his detail.After clicking on button,user is redirected to another page.Suppose user enter something in address which include '<' or '>'I am changing it with it's htmlencode character through javascript onclientclick event of button to avoid error 'potentially dangerous Request'. and onclick event of button again,replacing htmlencode character to '<' or '>'.When user use browser's back button.He will see html encode character not '<' or '>'.Why this is happening,I already changed to '<' ?.How to handle this?I am using content page?I am using .net framework 4.5.
  • #765363
    Hi pinky,
    As you have mentioned, you are using htmlencode for some of the characters.
    But when user use browser's back button, you can use htmldecode for those characters before displaying them to user.
    Hope it helps.
    Shashikant Gurav

  • #765364
    Asp.Net 4.0+ comes with a very strict built-in request validation, part of it is the potential dangerous characters in the url which may be used in XSS attacks. Here are default invalid characters in the url , as < > * % & : \ ?
    To resolve this, You can change this behavior in your config file: see below
    <httpRuntime requestPathInvalidCharacters="<,>,*,%,&,:,\,?" />
    OR you can use following settings
    <httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
    <pages validateRequest="false" />

    Editor, DotNetSpider MVM
    Microsoft MVP 2014 [ASP.NET/IIS]

  • Sign In to post your comments