Last post Jun 08, 2018 10:36 AM by chipvang1234
Jun 06, 2018 03:32 PM|RDev|LINK
I did search and read so many posts talk about the error message "A potentially dangerous request.querystring value was detected from the client". But, I believe my problem is totally different.
In my web.config file, I already defined two keys below:
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />
So, if I publish my project (asp.net webform) without using Precompile option, everything will work smoothly as my expected.
However, if I publish my project with Precompile option (precompile all site), the error above will always occur when I submit a form.
The submit form is so simple, it contains one input text control and one submit button. And my input text was <script>alert(1)</script>
So, my question is why this issue happens with precompile publish build? Any advice for me?
Jun 07, 2018 09:59 AM|Brando ZWZ|LINK
Could you please tell me which web application you have published? Web application or web site?
The procomple will work as different result from these two type.
Jun 07, 2018 10:15 AM|RDev|LINK
That is web application.
I also attach here some captured images of the precompile settings.
Jun 07, 2018 03:20 PM|RichardD|LINK
This thread from 2010 suggests that the
validateRequest setting is ignored when you precompile the site, unless you also select the "Allow this precompiled site to be updatable" option.
If you need to access the request data without triggering the validation, use the
NB: This could leave your site vulnerable to XSS unless you properly encode any values read from these collections before you display them.
Jun 08, 2018 01:39 AM|RDev|LINK
Thank you so much, Richard!
Your information makes sense to me. But, I still have some concerns about the reason why the
validateRequest setting is ignored when the web application is published as precompile all site? And, is there a way to disable it (keep
validateRequest=False setting work normally) in code or configuration in web.config file?
Jun 08, 2018 10:36 AM|chipvang1234|LINK
yeah. thanks RichardD