M
Mike Kozlowski
In an ASP.NET 1.1 application, I'm encrypting URL parameters. This
has mostly been working great, but yesterday, one particular URL got
caught by the XSS checker, giving me the "A potentially dangerous
Request.QueryString value was detected from the client". Several
questions arise from this:
1. By reducing the querystring down as much as possible, I've found
that the offending characters are "oN%3d" -- removing the o, the
N, or the %3d, will all result in the string being okay; but
leaving all of them together like that triggers the validator.
Why? This is completely inexplicable to me.
2. What on earth can I do to avoid this? I'm already URL-encoding
(that %3d, obviously, was an '=' character), and HTML-encoding
doesn't seem like it'd have any effect on that string. I'd really
like to be able to pass random strings around without seemingly
innocuous characters triggering hard-fail validations.
Advice? Explanation?
has mostly been working great, but yesterday, one particular URL got
caught by the XSS checker, giving me the "A potentially dangerous
Request.QueryString value was detected from the client". Several
questions arise from this:
1. By reducing the querystring down as much as possible, I've found
that the offending characters are "oN%3d" -- removing the o, the
N, or the %3d, will all result in the string being okay; but
leaving all of them together like that triggers the validator.
Why? This is completely inexplicable to me.
2. What on earth can I do to avoid this? I'm already URL-encoding
(that %3d, obviously, was an '=' character), and HTML-encoding
doesn't seem like it'd have any effect on that string. I'd really
like to be able to pass random strings around without seemingly
innocuous characters triggering hard-fail validations.
Advice? Explanation?