E
Ersin Gençtürk
onk= -> why this string causes security errors ? it is'nt "<" neighter ">"
??
??
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
B
Brock Allen
This security check is done on postback data because that syntax could be
a cross site scripting attack, which means a malicious user posts <script>
blocks (and perhas other bad things). The typical problem is that most web
apps don't escape the post data when it's then showed back to other users.
This means the script gets executed in someone else's browser and it could
do things like steal cookies. Google for cross site scripting to learn more.
You can disable this security check via validateRequest="false":
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfpagessection.asp
-Brock
DevelopMentor
http://staff.develop.com/ballen
a cross site scripting attack, which means a malicious user posts <script>
blocks (and perhas other bad things). The typical problem is that most web
apps don't escape the post data when it's then showed back to other users.
This means the script gets executed in someone else's browser and it could
do things like steal cookies. Google for cross site scripting to learn more.
You can disable this security check via validateRequest="false":
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfpagessection.asp
-Brock
DevelopMentor
http://staff.develop.com/ballen
E
Ersin Gençtürk
hi brock ,
I know about cross site scripting but it should check "<" or ">" but why
this phrase "onk=" causes an error ? try it.
I know about cross site scripting but it should check "<" or ">" but why
this phrase "onk=" causes an error ? try it.
B
Brock Allen
Yeah, I see that.... Well, the validate request feature is not going to catch
everything and it's just doing rough checks. So, you can disable the page
check and do your own.
BTW, this input is allowed in ASP.NET 2.0. The implementation of the validation
has changed slightly to not be do restrictive.
-Brock
DevelopMentor
http://staff.develop.com/ballen
everything and it's just doing rough checks. So, you can disable the page
check and do your own.
BTW, this input is allowed in ASP.NET 2.0. The implementation of the validation
has changed slightly to not be do restrictive.
-Brock
DevelopMentor
http://staff.develop.com/ballen
E
Ersin Gençtürk
ok.but my question was why this happens ? I know it is causing error.But is
it a bug? Because it is not a dangereous request for an web application. I
wonder if is it an encoded character resulting "<" character or what ?
it a bug? Because it is not a dangereous request for an web application. I
wonder if is it an encoded character resulting "<" character or what ?
B
Brock Allen
The implementation in v1.1 is fairly restrictive and in v2.0 it's changed.
So perhaps it was a bug and it's fixed in v2.0. I don't know the dev that
worked on it, so I can't say for sure.
-Brock
DevelopMentor
http://staff.develop.com/ballen
So perhaps it was a bug and it's fixed in v2.0. I don't know the dev that
worked on it, so I can't say for sure.
-Brock
DevelopMentor
http://staff.develop.com/ballen