E
Ersin Gençtürk
onk= -> why this string causes security errors ? it is'nt "<" neighter ">"
??
??
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
B
Brock Allen
This security check is done on postback data because that syntax could be
a cross site scripting attack, which means a malicious user posts <script>
blocks (and perhas other bad things). The typical problem is that most web
apps don't escape the post data when it's then showed back to other users.
This means the script gets executed in someone else's browser and it could
do things like steal cookies. Google for cross site scripting to learn more.
You can disable this security check via validateRequest="false":
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfpagessection.asp
a cross site scripting attack, which means a malicious user posts <script>
blocks (and perhas other bad things). The typical problem is that most web
apps don't escape the post data when it's then showed back to other users.
This means the script gets executed in someone else's browser and it could
do things like steal cookies. Google for cross site scripting to learn more.
You can disable this security check via validateRequest="false":
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfpagessection.asp
E
Ersin Gençtürk
hi brock ,
I know about cross site scripting but it should check "<" or ">" but why
this phrase "onk=" causes an error ? try it.
I know about cross site scripting but it should check "<" or ">" but why
this phrase "onk=" causes an error ? try it.
B
Brock Allen
Yeah, I see that.... Well, the validate request feature is not going to catch
everything and it's just doing rough checks. So, you can disable the page
check and do your own.
BTW, this input is allowed in ASP.NET 2.0. The implementation of the validation
has changed slightly to not be do restrictive.
everything and it's just doing rough checks. So, you can disable the page
check and do your own.
BTW, this input is allowed in ASP.NET 2.0. The implementation of the validation
has changed slightly to not be do restrictive.
E
Ersin Gençtürk
ok.but my question was why this happens ? I know it is causing error.But is
it a bug? Because it is not a dangereous request for an web application. I
wonder if is it an encoded character resulting "<" character or what ?
it a bug? Because it is not a dangereous request for an web application. I
wonder if is it an encoded character resulting "<" character or what ?
B
Brock Allen
The implementation in v1.1 is fairly restrictive and in v2.0 it's changed.
So perhaps it was a bug and it's fixed in v2.0. I don't know the dev that
worked on it, so I can't say for sure.
So perhaps it was a bug and it's fixed in v2.0. I don't know the dev that
worked on it, so I can't say for sure.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.
Forum statistics
Latest Threads
-
What are the key advantages of using a SaaS (Software as a Service) model for application development?
- Started by remotedevelopers
-
How to build a database-driven web page
- Started by av3mar1a153
-
Hola
- Started by luuciefer
-
Using a DTSX file with GoDaddy
- Started by IBMJunkman
-
Hello Everyone
- Started by welly
-
Problem with code
- Started by camilin05
-
How to get expertise in "cyber security" or from where to start for this?
- Started by independent
-
Arduino Chess Clock
- Started by ARDU_PROgrammER
-
What steps are the key steps involved in designing a product?
- Started by remotedevelopers