locked
Precompile all site still gets the error message “A potentially dangerous request.querystring value was detected from the client” RRS feed

  • Question

  • User-449643886 posted

    I did search and read so many posts talk about the error message "A potentially dangerous request<g class="gr_ gr_16 gr-alert gr_gramm gr_inline_cards gr_run_anim Style replaceWithoutSep" id="16" data-gr-id="16">.<g class="gr_ gr_20 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" id="20" data-gr-id="20"><g class="gr_ gr_22 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="22" data-gr-id="22">querystring</g></g></g> value was detected from the client". But, I believe my problem is totally different.

    In my web.config file, I already defined two keys below:

    <httpRuntime requestValidationMode="2.0" />
    <pages validateRequest="false" />

    So, if I publish my project (asp.net webform) without using Precompile option, everything will work smoothly as my expected.

    However, if I publish my project with Precompile option (precompile all site), the error above will always occur when I submit a form.

    The submit form is so simple, it contains one input text control and one submit button. And my input text was <script>alert(1)</script>

    So, my question is why this issue happens with <g class="gr_ gr_24 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" id="24" data-gr-id="24">precompile</g> publish build? Any advice for me?

    Wednesday, June 6, 2018 3:32 PM

All replies

  • User283571144 posted

    Hi RDev,

    Could you please tell me which web application you have published? Web application or web site?

    The procomple will work as different result from these two type.

    Best Regards,

    Brando

    Thursday, June 7, 2018 9:59 AM
  • User-449643886 posted

    @Brando,

    That is <g class="gr_ gr_111 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" id="111" data-gr-id="111">web</g> application.

    I also attach here some captured images of the precompile settings.

    https://drive.google.com/open?id=1vYLxbtdu508dcTs_OGZybnfORBWNJqz7

    https://drive.google.com/open?id=1h8wLdyQEbXxrEVKLjHY01FuB3LLwDbjg 

    Thursday, June 7, 2018 10:15 AM
  • User863160722 posted

    This thread from 2010 suggests that the validateRequest setting is ignored when you precompile the site, unless you also select the "Allow this precompiled site to be updatable" option.

    If you need to access the request data without triggering the validation, use the Request.Unvalidated collections.

    NB: This could leave your site vulnerable to XSS unless you properly encode any values read from these collections before you display them.

    Thursday, June 7, 2018 3:20 PM
  • User-449643886 posted

    Thank you so much, Richard!

    Your information makes sense to me. But, I still have some concerns about the reason why <g class="gr_ gr_9 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" id="9" data-gr-id="9">the </g>validateRequest<g class="gr_ gr_9 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" id="9" data-gr-id="9"> setting</g> is ignored when the web application is published as precompile all site? And, is there a way to disable it (<g class="gr_ gr_156 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" id="156" data-gr-id="156">keep </g>validateRequest=False<g class="gr_ gr_156 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Style multiReplace" id="156" data-gr-id="156"> setting</g> work normally) in code or configuration in web.config file?

    Friday, June 8, 2018 1:39 AM
  • User-394116914 posted

    yeah. thanks RichardD

    Friday, June 8, 2018 10:36 AM