开发者

Handling HttpRequestValidationException in ASP.NET

问答 作者:

I have a problem where some users come to my site with cookies that contain < or & characters (partly outside my control). These are flagged Dangerous by ASP.NET. What I would like to do is to be able to catch the exception, check for certain well-known cases that I want to allow and then throw the exception again. I don't want to end up in the global Application_Error, b开发者_如何学Goecause I want the request to carry on as if nothing happened in the selected "known cases".

I thought that I could do this by reading my Request.Cookies in the Application_BeginRequest and then catch the exeption. Turns out however that this is too early. The cookies can be read without any problem at this time. Inspection (reflector) learns that the validation exceptions are only thrown after the HttpRequest.ValidateInput() method is called. This sets the validation "sharp", but it's not clear to me when this happens. So when/where to trigger the validation to prevent it from bubbling up later? Or maybe some totally different approach?

As a variation on Teun D's answer, another alternative would be to check for all cookies whose names begin with "__utm" (as Google Analytics cookies do) and clear their contents in the same way.

This solution could be slightly more robust, as the __utm... cookies can contain all sorts of garbage from external links and search engine referrals; there may be characters other than "<" in the values which trigger the RequestValidation error.

Apologies for the VB, but I'm sure you guys can translate into proper code easily enough :)

Private regGACookie As New Regex("^__utm")
Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
    For Each strName As String In Request.Cookies
        If regGACookie.IsMatch(strName) Then
            ' Leave the cookie alone, but remove from the request'
            Request.Cookies(strName).Value = ""
        End If
    Next
End Sub

I turns out to be quite difficult to handle this exception. I have not found a real answer to my question, but I found a work-around that may work for other too, so I'll document it here. The suspect values in my cookies are actually written there by Google Analytics,so I cannot prevent the values with < in it to be written. However, I do not really need these cookies on the server anyway. Google Analytics reads their content on the client. So what I did was checking the contents of the cookiesmyself and clearing any suspect content for the duration of the Request by setting the value to "". The cookies remains as is, but the content in the Request.Cookies collection is gone.

Good enough for me.

private static Regex _hasHtmlTag = new Regex("<\\w"); // matches an < with a letter or number after it
protected void Application_BeginRequest(object sender, EventArgs e)
{
    foreach (string name in Request.Cookies)
    {
        string cookieValue = Request.Cookies[name].Value;
        if (_hasHtmlTag.IsMatch(cookieValue))
        {
            // Leave the cookie alone, but remove from the request
            Request.Cookies[name].Value = "";
        }
    }
}

You could disable this kind of validation by disabling request validation on the web.config

<configuration>  
    <system.web>  
       <pages validateRequest="false" />  
    </system.web>
</configuration>

继续阅读:asp.netcookiesxss

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9