All geek questions in one place

ASP.NET validation error in 'CombinedScript'?

We have an ASP.NET web form application that sometimes generates a validation error, as shown below. What could be the reason for this?

A validation error has occurred.

Exception type: System.Web.HttpRequestValidationException

Exception message: A potentially dangerous Request.QueryString value 
    was detected from the client 
    (_TSM_CombinedScripts _ = "... </div> ...").

Request URL: https: // ...: 443 / Default.aspx? _TSM_HiddenField_ =
    ctl00_sm1_HiddenField & _TSM_CombinedScripts_ =
    % 3b% 3bAjaxControlToolkit% 2c + Version% 3d3.5.11119.20050% 2c
    + Culture% 3dneutral% 2c
    + PublicKeyToken% 3d28f01b0e8% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20
    % 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20
    </div>% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20 <div% 20class =

Stack trace: at System.Web.HttpRequest.ValidateString (String s, String valueName, String collectionName)
   at System.Web.HttpRequest.ValidateNameValueCollection (NameValueCollection nvc, String collectionName)
   at System.Web.HttpRequest.get_QueryString ()
   at System.Web.UI.Page.GetCollectionBasedOnMethod (Boolean dontReturnNull)
   at System.Web.UI.Page.DeterminePostBackMode ()
   at System.Web.UI.Page.ProcessRequestMain (Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest (Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest ()
   at System.Web.UI.Page.ProcessRequestWithNoAssert (HttpContext context)
   at System.Web.UI.Page.ProcessRequest (HttpContext context)
   at ASP.user_default_aspx.ProcessRequest (HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute ()
   at System.Web.HttpApplication.ExecuteStep (IExecutionStep step, Boolean & completedSynchronously)

More details:

I do not think this is a "malicious" request, but due to the incorrect processing of this link script. If so, how to handle this?

The following script block is in the generated HTML source for the page in question:

<script src = "/ Default.aspx? _TSM_HiddenField_ =
ctl00_sm1_HiddenField & _TSM_CombinedScripts_ =
% 3b% 3bAjaxControlToolkit% 2c + Version% 3d3.5.11119.20050% 2c
+ Culture% 3dneutral% 2c
+PublicKeyToken%3d28f01c0e84b6d53e%3aen%3a7e147239-dd05-47b0-7fb3-
f743a139f982%3be2e86bf9%3a1aa13a87%3a8ccd9c1b%3a9ea3f0e2%3a9e7e87e9
%3a4c9865be%3aba594826%3ac4c00916%3a630bb7c2%3af442e939"
type="text/javascript"></script>
+3
1

ASP.NET HTML ( ) Querystring Form. @Page ValidateRequest (true ).

, XSS. - , URL.

</div>, . Javascript, encodeURIComponent() .

+1

Source: https://habr.com/ru/post/1708542/

More articles:


All Articles