Geek Answers Handbook

Silent request processing

I am trying to redefine the onError event handler of a web form to resolve the "potentially dangerous Request.Form value from client type errors" that should be processed on the form, and not end with an application level error handler.

I found the sample code as follows:

protected override void OnError(EventArgs e) { // At this point we have information about the error HttpContext ctx = HttpContext.Current; Exception exception = ctx.Server.GetLastError(); string errorInfo = "<br>Offending URL: " + ctx.Request.Url.ToString() + "<br>Source: " + exception.Source + "<br>Message: " + exception.Message + "<br>Stack trace: " + exception.StackTrace; ctx.Response.Write(errorInfo); // -------------------------------------------------- // To let the page finish running we clear the error // -------------------------------------------------- ctx.Server.ClearError(); base.OnError(e); }

Which satisfactorily catches the error and writes the error message to the screen, but what I really want to do is to know about the error when Page_Load starts and thus display the error message “normal” on the web form.

I'm sure there is a good way to do this, but I don't know that! Suggestions?

(BTW for various reasons, I don’t want to disable validation at any level of the form or application, and I don’t want to rely on Javascript either - thanks)

+4
source share
3 answers

You can really catch the error at the page level, but it will kill the page life cycle. So you need to use a trick to get around this. Example:

 public override void ProcessRequest(HttpContext context) { try { base.ProcessRequest(context); } catch(HttpRequestValidationException ex) { context.Response.Redirect("HandleValidationError.aspx"); } }

HandleValidationError.aspx can be anything, including redirecting to the same page (possibly using a request with error information, for example, "ContactForm.aspx? Error = Invalid + Request")

+4
source

I think I understand what you want to do, but I'm afraid it is impossible. When your ASP.NET page performs a postback, a new thread is created on the server to process the request. Before the life cycle of your page even begins, offensive XSS will be detected and an exception will be thrown. After this exception is thrown, you are "evicted" from the life cycle of the ASP.NET page, and there is no way to re-enter it. At this stage, the only thing you can do on the client side is to display an error or redirect to the error page.

What you seem to want to do is catch the exception, write it somewhere on the page and continue the life cycle of the ASP.NET page (i.e. restore the control tree, restore the view state, call event handlers, etc. ) The problem is that when you get an unhandled exception, you no longer have access to the life cycle of the ASP.NET page. In this particular case, there is no place to block try / catch, because an exception is thrown from the ASP.NET lifecycle before calling its own code.

I know that you said you didn’t want to rely on Javascript, but in this case I think using Javascript is the only way to get the behavior you need. You can still keep the server side validation, in case your users turn off Javascript or enter some data that your Javascript does not process.

+1
source

I do not think that you can handle the error in the Page_load event. In the ASP.NET page lifecycle, validation events will occur after the page loads.

Perhaps you can add a hidden div (<asp: Panel Visible = false ...) that contains your "normal error message". if an error message appears in the OnError event with an error message.

jason

0
source

More articles:


All Articles