Previous Thread:   Custom Error Handling Problem /Question

9/30/2005 8:42:28 AM    Server.URLEncode and potentially dangerous string
Hi  
  
Code snippet  
  
--------------  
  
strErrMsg = "Could not find a part of the path  
  
\"C:\\Temp\\data\\Test.xml\"." }  
  
Server.Transfer("Message.aspx?errormsg=" + Server.UrlEncode(lsErrMsg));  
  
---------------  
  
I'm getting  "potentially dangerous Request.Form value was detected  
  
from the client " error message  
  
I browses several sites and found people discuusing abt < and >  
  
characters. But in my above string i do not have any of that  
  
characters.  
  
What is potentially dangerous string in the above string.  
  
What is the solution.  
  
Please let me know  
  
Thanks  
  
Veena



9/30/2005 11:52:21 AM    Re: Server.URLEncode and potentially dangerous string
veenakj@gmail.com wrote:  
  
This is basically a pre-emptive attempt by IIS to prevent cross-site  
  
scripting attacks, buffer-overflows etc...  In the past IIS was riddled  
  
with these types of holes.  My guess is that the number of backslashes  
  
and periods is causing IIS to think that someone is trying to post  
  
malicious code.  You can turn this off by setting  
  
validateRequest="false".  For your page.  
  
--  
  
Rob Schieber