Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Request Validation - how and why is it disabled in SiteCore?

We have a text box in sitecore that allows users to search for things. This posts back to the server which goes off, does a search and returns some results (showing them on the screen).

When I input something dodgy, e.g. some markup I would expect to receive a .net exception along the lines of:

A potentially dangerous Request.QueryString value was detected from the client (q="<img src="http://www..."). 

As I understand it, that has been default behaviour since v1.1 of ASP.NET. And then in v4.0 it remained the default they just extended it to all requests (not just web pages).

So the question is as follows:

1. how have sitecore disabled this?
2. what can I do to re-enable this globally (i.e. not on a per page basis)?

I note there is a section of the web.config that starts like this:

<!-- Continue to run Sitecore without script validations -->
<pages validateRequest="false" controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
like image 930
chrislewisdev Avatar asked Feb 02 '12 14:02

chrislewisdev


1 Answers

You answered your own questions. Here are answers to your questions:

  1. In Sitecore the default web.config comes with this set as <pages validateRequest="false" ... />

  2. To turn it on, set it to true

Also, you can take a look at this blog post which indicates the SuppressFormValidation processor in the PreprocessRequest pipeline may be causing this issue you're having.

Here's the "offending" code that was identified:

namespace Sitecore.Pipelines.PreprocessRequest
{
    public class SuppressFormValidation : PreprocessRequestProcessor
    {
        public override void Process(PreprocessRequestArgs args)
        {
            Assert.ArgumentNotNull(args, "args");
            try
            {
                NameValueCollection form = args.Context.Request.Form;
            }
            catch (HttpRequestValidationException exception)
            {
                if (!args.Context.Request.RawUrl.StartsWith("/sitecore/shell/", StringComparison.InvariantCultureIgnoreCase))
                {
                    Log.Error(exception.Message, exception, this);
                }
            }
        }
    }
}

The blog post has new code you can replace it with to only suppress validation in the Sitecore shell (the back-end GUI).

like image 199
Mark Ursino Avatar answered Sep 27 '22 19:09

Mark Ursino