tags:

views:

66

answers:

3
+1  Q: 

A potentially dangerous Request.Form value was detected

I'm using a php script to http post some xml files to a .net URL.

When I submit I get the response:

A potentially dangerous Request.Form value was detected from the client (<?xml version="...UTF-8"?> <!DOCTYPE cXML SYSTE..."). Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

As I'm not using .NET I can't set ValidateRequest="false" in web.config.

Do I need to sanitize my xml before submitiing? How can I do this?

+1  A: 

You need to set ValidateRequest="false" in the page that's receiving the XML, not in the page that's sending it. If you don't have any access to the page that you're passing the XML to, then you'll need to find another way to pass the data, or transform it into another format first as pretty much anything that looks like HTML will cause an asp.net page to trigger this warning.

Rob  2010-08-16 09:50:58
Just a note: asker said: *"I can't set ValidateRequest="false" in web.config."*
Abel  2010-08-16 09:55:55
@Abel, yeah, I saw that, and thus assumed that the OP may be less than familiar with asp.net as they're "using a **php** script to http post some xml files to a .net URL", and may have their wires crossed, given the "As **I'm** not using .NET I can't set..." seemed to suggest to me, at least, that the OP might think they need to set the value on the "client" side of the request, particularly as it's usually set as a per-page directive, rather than for a whole site.
Rob  2010-08-16 09:59:02
Hi, yes I'm posting to an external URL - which I don't have access to.
thegunner  2010-08-16 10:01:01
@thegunner - have you been given any instructions as to *how* to post to it then? If it rejects XML because of request validation then either you're sending the wrong thing, or the owner of the page should change it to `ValidateRequest="false"` =)
Rob  2010-08-16 10:02:12
+2  A: 

It's intriguing that you can see the full error, but are not capable of accessing the ASP.NET code. Normally, one can only see the full error when in debug mode, because in production, the error-setting is (should be) RemoteOnly or Off. This seems a configuration mistake and a potential risk on the side of the ASP.NET site.

You say "to http post some xml files". If you were indeed posting files, you wouldn't receive this response. Maybe you can contact the site's owner and ask for him to change the form to allow file-input.

You can change your input such that it doesn't look like XML anymore, but then it isn't XML anymore either. I.e., change all < in &lt; and you'll be able to get your data through, but it must be unescaped when processed.

If this site is supposed to accept XML, it must be changed to accept XML. Either it should accept files, or it should accept HTML/XML input by turning ValidateRequest to off. If it is not supposed to receive XML, there's little you can do. It's like filling in a bank's payment form by putting letters in the amount-field: it just won't work (unless it was designed to work that way).

Abel  2010-08-16 10:01:58
+1  A: 

XML or anything that "looks like" it, is considered dangerous by default, as a reasonable way to block XSS attacks on something expecting plaintext content.

The problem is with the resource you are submitting to, not with your code, file a bug or tech-support request with them.

Jon Hanna  2010-08-16 12:51:57
Hi, yeah I can receive the files to my external URL and I know other places can receive the file. I've emailed them and am waiting on response.
thegunner  2010-08-17 08:31:58

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps