Geek Answers Handbook

Resolving Dangerous Query Strings

I need to be able to resolve query strings containing characters like '<' and '>'. However, putting something like id = mi <ke in the URL will display a page with an error message:

A potentially dangerous Request.QueryString value was detected at the client (id = "mi <ke").

If I first url encode url (to create id = mi% 3Cke), I still get the same error. I can get around this by putting ValidateRequest = "false" in the page directive, but I would prefer not to, if at all possible.

So does it still allow these characters in the query strings and not disable ValidateRequest?

EDIT: I want users to be able to enter URLs manually, so some of their encoding may not work.

+3
source share
5 answers

I ran into a problem like this. I decided that base64 encoded the query string to get around it. using

System.Text.ASCIIEncoding.ASCII.GetBytes

to get the string as bytes and then

System.Convert.ToBase64String

to turn it into a "safe" string.

To return it, use:

System.Convert.FromBase64String

and then:

System.Text.ASCIIEncoding.ASCII.GetString

to reverse the polarity of the flow.

+5
source

Little googling, and I don’t think so. The exception seems to occur before your code even works, so you cannot catch the exception. I like encoding like base64 or something like an idea.

+1
source

URL- id, . , URL- .

0

, . , ValidateRequest. - . , '<' '[' ' > ' ']' ( Base64). Javascript , . , .

jquery:

 $(document).ready( function() {
    $('form').bind('submit', function() {
        $('form' > 'input[type=text]').each( function(i) {
           if (this.value) {
              this.value = encode(this.value);
           }
        });
    });
 });

 function encode(value) {
    return ...suitable encoding...
 }
0

, javascript:

<script type="text/javascript">  

 var unencodedText = "This is my text that contains whitespaces and characters like  and Ø";  
 var encodedText = "";  
 var decodedText = "";  
 alert('unencodedText: ' + unencodedText);  

 //To encode whitespaces and the 'Ø' character - use encodeURI  
 encodedText = encodeURI(unencodedText);  
 //We see that whitespaces and 'Ø' are encoded, but the '' is still there:  
 alert('encodedText: ' + encodedText);  

 //If we decode it we should get our unencodedText back  
 decodedText = decodeURI(encodedText);  
 alert('decodedText: ' + decodedText);  

 //To also encode the '' we use the encodeURIComponent  
 encodedText = encodeURIComponent(unencodedText);  
 //Now all the characters have been encoded:  
 alert('encodedText: ' + encodedText);  

 //To get our unencodedText back we now need to use the decodeURIComponent  
 decodedText = decodeURIComponent(encodedText);  
 alert('decodedText: ' + decodedText);  

</script>

If you are dealing with more complex characters, you can use encodeURIComponent for the url.

And I stole this stone from this link.

0
source

More articles:


All Articles