Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Request Validation - how and why is it disabled in SiteCore?

Tags:

asp.net

sitecore

sitecore6

We have a text box in sitecore that allows users to search for things. This posts back to the server which goes off, does a search and returns some results (showing them on the screen).

When I input something dodgy, e.g. some markup I would expect to receive a .net exception along the lines of:

A potentially dangerous Request.QueryString value was detected from the client (q="<img src="http://www...").

As I understand it, that has been default behaviour since v1.1 of ASP.NET. And then in v4.0 it remained the default they just extended it to all requests (not just web pages).

So the question is as follows:

1. how have sitecore disabled this?
2. what can I do to re-enable this globally (i.e. not on a per page basis)?

I note there is a section of the web.config that starts like this:

<!-- Continue to run Sitecore without script validations -->
<pages validateRequest="false" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
like image 930
chrislewisdev Avatar asked Feb 02 '12 14:02

chrislewisdev

1 Answers

You answered your own questions. Here are answers to your questions:

  1. In Sitecore the default web.config comes with this set as <pages validateRequest="false" ... />

  2. To turn it on, set it to true

Also, you can take a look at this blog post which indicates the SuppressFormValidation processor in the PreprocessRequest pipeline may be causing this issue you're having.

Here's the "offending" code that was identified:

namespace Sitecore.Pipelines.PreprocessRequest
{
    public class SuppressFormValidation : PreprocessRequestProcessor
    {
        public override void Process(PreprocessRequestArgs args)
        {
            Assert.ArgumentNotNull(args, "args");
            try
            {
                NameValueCollection form = args.Context.Request.Form;
            }
            catch (HttpRequestValidationException exception)
            {
                if (!args.Context.Request.RawUrl.StartsWith("/sitecore/shell/", StringComparison.InvariantCultureIgnoreCase))
                {
                    Log.Error(exception.Message, exception, this);
                }
            }
        }
    }
}

The blog post has new code you can replace it with to only suppress validation in the Sitecore shell (the back-end GUI).

like image 199
Mark Ursino Avatar answered Sep 27 '22 19:09

Mark Ursino
Sign in to Comment

Related questions

Making Update Progress Panel in the center
What are some methods I can use to detect robots?
How to conditionally apply jQuery Sortable UI widget to table (ASP.NET GridView)?
ASP.net MVC get current viewengine
How do I get Sitecore (and my browser) to use the Print layout?
C# ASP.Net Webforms - string - static vs static readonly
how to find if the check box list is selected or not in asp.net
log4net cant create log file , when publish to server
ORA-06550 wrong number or types of arguments when calling Oracle stored procedure
Using Trace within Global.asax
UnitTest ASP.NET Application that Requires User to be Logged in
How to skip some column while exporting Grid view in excel?
How do perform a delete on listview that's not bound by a control
Using Session vs. Static class for saving user data
Hide the ASPxPopupControl from code behind
How do you know when a PayPal cart has been abandoned?
Javascript Events are not working in Tablet-pc?
Trouble Minimizing 304 Requests
Instance Failure in asp.net
Sending JSON object successfully to ASP.NET WebMethod, using jQuery

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!