开发者

HttpRequestValidationException showing YSOD despite customErrors section

we've modified our customErrors section to protect against the recent ASP.NET vulnerability.

Our problem is, that HttpRequestValidationException's are now causing a YSOD's to be shown, other exceptions and page not found errors are showing our custom error page.

If we change the redirectMode to ResponseRedirect everything works fine.

This is our modified section:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Error.as开发者_运维问答px"/>

This question has nothing to do with the recent ASP.NET vulnerability!It's about the ResponseRewrite redirectMode in combination with HttpRequestValidationException's. We know there will soon be a patch and that we could change back to ResponseRedirect.

Kind regards, Martin


This happens when your error page generates an error.

Make sure you turn off request validation on your error page. <%@ Page ValidateRequest="false" %>

You then of course need to encode any user input that displays on your error page. eg. Server.HtmlEncode(ex.Message)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜