2

We've recently been experiencing a problem on our site in Internet Explorer 8.

We have a form, that when submitted in IE8 displays a Validation Exception, claiming the character "☃" is potentially dangerous.

System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (_utf8="☃").

The funny thing is that this character is not typed in, and is not part of our VB .NET project.

If we set the page to validateRequest = "false", then the error goes away, however we fear this is opening ourselves up to XSS attacks. We could sanitise our own inputs, but would rather we got to the source of the problem, rather than creating a work around.

This thread regarding Ruby seems interesting, but we're unsure how it applies to our situation: What is the _snowman param in Ruby on Rails 3 forms for?

Also worth considering that the form works in all other browsers we have tested (IE11, Chrome, Fire Fox, Opera).

Community
  • 1
  • 1
Tom Bowen
  • 8,214
  • 4
  • 22
  • 42
  • 2
    "We could sanitise our own inputs" - I'd suggest you should be sanitising your inputs regardless of what .NET says it's doing! – Liath Jun 02 '14 at 13:58
  • 1
    Sanitizing your own inputs **IS** how you fix the root of the problem. The .NET validation is just a workaround/safety net, not the permanent solution you should rely on. That said, could it be that there's an encoding mismatch somewhere? Maybe the browser submits the form in a different charset than you think? – Vilx- Jun 02 '14 at 13:59
  • 2
    @Liath - all true - but additional level of protection is always handy, especially in large project/teams, even with some sort of penetration testing, can you be sure that you've encoded everything properly ? Request validator is first level of defense against xss attacks (not bulletproof, but handy). – Ondrej Svejdar Jun 02 '14 at 14:31

1 Answers1

1

You can override this specific case in request validator (excuse my C#, hopefully you'll be able to translate it):

public class EnhancedRequestValidator : RequestValidator {
  protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex) {
    if (!string.IsNullOrEmpty(value)) {
      value = value.Replace("_utf8=\"☃\"", string.Empty);
    }
    return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
  }
}

And in your web.config

<system.web>
  <httpRuntime 
    requestValidationType="Contosco.Web.EnhancedRequestValidator, Contosco.Web" />
</system.web>
Ondrej Svejdar
  • 21,349
  • 5
  • 54
  • 89