IIS upgrade NOT backwards compatible?

Question

I have a series of web pages that running off if an IIS (5.1) server.

The pages use VBscript in .ASP pages which display and populate a back end database. These pages have been working 100% error free for years. I loaded a Microsoft tool (Visual Studio Express) to try it out. After loading the tool the IIS server started producing errors when the .asp pages tried to refresh. I think that the download tried to upgrade my web server. I removed the Visual Studio Express from my system. After numerous attempts to determine the source of the error (NOTE: No code was changed after the tool was loaded) I determined that the error happens when the characters “<><>” get posted during a refresh. NOTE: I use <><><><> in dynamically created pull downs as the default.

Ultimately the solution to the problem was simple, I just changed the default to be “---------“ in the pull downs versus “<><><><><>”

The Question is why did something that has worked 100% for over 9 years suddenly fail, and is there a configuration setting that I can change to have the server not error out on the <> characters.

A global search and replace will fix the problem, but this code sequence and subsequent logic are used in 100’s of places and that will be a tedious and time consuming task.

Answer 1

I know that ASP.Net has a ValidateRequest property which won't allow certain characters in certain places to prevent some hacking exploits. This is by default turned on. And I believe IIS 7 (possibly 6 also) treats all sites like an ASP.Net application to some degree (uses a web.config file). This isn't a verified fact, but I have web.config files show up even when I am testing an site with just .html files.

In ASP.Net you can change the ValidateRequest=true (default) property to ValidateRequest=false in the web.config file. That would probably stop the server side validation from happening and allow your defaults to go through.

Add <pages validateRequest="false" /> in system.web section of the web.config.

Answer 2

It's probably treating the angle brackets as potential cross-site scripting attacks - by default these days asp.net (I know you're using ASP, not ASP.NET) will throw an exception about a "Potentially dangerous postback" when you submit a string with angle brackets.

Is it possible that by installing VS (and therefore the DotNet framework) you've set the website that hosts these pages to use ASP.NET?

Have you tried removing the ASP.NET registration from that site? You can do this by running aspnet_regiis with the "-ua" switch. This command line tool can be found in:

C:\Windows\Microsoft.NET\Framework[vX.YYY]\

Where X.YYY is either 1.1.4322 or 2.0.50727