tags:

views:

375

answers:

5
Q: 

Allowing dangerous query strings

I need to be able to allow query strings that contain characters like '<' and '>'. However, putting something like id=mi<ke into the the URL will output an error page saying:

A potentially dangerous Request.QueryString value was detected from the client (id="mi<ke").

If I first url encode the url (to create id=mi%3Cke) I still get the same error. I can get around this by putting ValidateRequest="false" into the Page directive, but I'd prefer not to do that if at all possible.

So is there anyway to allow these characters in query strings and not turn off ValidateRequest?

EDIT: I want to allow users to be able to type the urls in by hand as well, so encoding them in some way might not work.

A: 

Instead of URL encode, you could encrypt your id value to get around the issue. You will probably then need to URL encode the encrypted string.

JasonS  2008-12-03 23:09:46
This would work for links that I create on the page, but not for links that the user would type directly into the browser.
Mike Hall  2008-12-03 23:14:15
+5  A: 

I ran into a problem similar to this. I chose to base64 encode the query string to work around it. using 

System.Text.ASCIIEncoding.ASCII.GetBytes

to get the string as bytes and then 

System.Convert.ToBase64String

to turn it into a "safe" string.

To get it back, use:

System.Convert.FromBase64String

and then:

System.Text.ASCIIEncoding.ASCII.GetString

to reverse the polarity of the flow.

Andrew Rollings  2008-12-03 23:16:37
A: 

I think you have some options. You could do as you indicate and turn off ValidateRequest. You would then need to take care of any input sanitization on your own. Or you could allow only certain characters and either have the user use a meta language to input them, i.e., instead of '<' use '[' and replace '>' with ']' or re-encoding these before submission yourself to the meta language (or Base64). Doing the re-encoding yourself would require Javascript be available for queries that used forbidden characters. You may still need to do input sanitization.

Quick stab at a jquery implementation:

 $(document).ready( function() {
    $('form').bind('submit', function() {
        $('form' > 'input[type=text]').each( function(i) {
           if (this.value) {
              this.value = encode(this.value);
           }
        });
    });
 });

 function encode(value) {
    return ...suitable encoding...
 }
tvanfosson  2008-12-03 23:20:11
+1  A: 

A little googling and I don't think so. The exception seems to happen before your code even runs so you can't trap the exception. I like the encoding as base64 or something idea.

Will Rickards  2008-12-03 23:21:08
A: 

I was working with the same problem, however i stumbled upon this javascript encoding method:

<script type="text/javascript">  

 var unencodedText = "This is my text that contains whitespaces and characters like  and Ø";  
 var encodedText = "";  
 var decodedText = "";  
 alert('unencodedText: ' + unencodedText);  

 //To encode whitespaces and the 'Ø' character - use encodeURI  
 encodedText = encodeURI(unencodedText);  
 //We see that whitespaces and 'Ø' are encoded, but the '' is still there:  
 alert('encodedText: ' + encodedText);  

 //If we decode it we should get our unencodedText back  
 decodedText = decodeURI(encodedText);  
 alert('decodedText: ' + decodedText);  

 //To also encode the '' we use the encodeURIComponent  
 encodedText = encodeURIComponent(unencodedText);  
 //Now all the characters have been encoded:  
 alert('encodedText: ' + encodedText);  

 //To get our unencodedText back we now need to use the decodeURIComponent  
 decodedText = decodeURIComponent(encodedText);  
 alert('decodedText: ' + decodedText);  

</script>

If you're dealing with more complicated symbols then you might want to use the encodeURIComponent for the url.

And i steal this gem from this link.

melaos  2008-12-30 10:20:12

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps