Hidden Input Field causes potentially dangerous Request.Form value error

In my ASP.NET 1.1 application, I am compressing and replacing the hidden Viewstate variable with an alternate compressed value, stored in a hidden field called __VSTATE. This works well but on a few occasions, submitting a page causes the common "potentially dangerous Request.Form value ..." error.

I examined the __VSTATE value and nothing seems to be potentially dangerous. I was able to reproduce the error with a completely stripped down version of the page as shown in the code snippet. Pressing the submit button causes the error. The page works fine if I change the value to "".

Can someone explain why this is happening and suggest a solution? I do not want to remove page validation. During my testing, I tried using HTMLEncode but that doesn't change the test value in the snippet and still generates an error.
<%@ Page Language="vb" AutoEventWireup="false" Codebehind="Dangerous.aspx.vb" Inherits="Dynalabs.Dangerous" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
  <body MS_POSITIONING="FlowLayout">
 
    <form id="Form1" method="post" runat="server">
      <input type="hidden" id="__VSTATE" runat="server" value="Onw=" />
      <asp:Button ID="btnSubmit" Runat="server" Text="Submit" />
    </form>
 
  </body>
</html>

Open in new window

LVL 1
ZekeLAAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

varungdCommented:
Add ValidateRequest="false" in the page directive like
 <%@ Page Theme="SkyHigh" Language="C#" AutoEventWireup="true" CodeBehind="Test.aspx.cs" Inherits="Log.Test" ValidateRequest="false"  %>

Open in new window

0
varungdCommented:
<%@ Page Language="vb" AutoEventWireup="false" Codebehind="Dangerous.aspx.vb" Inherits="Dynalabs.Dangerous" ValidateRequest="false" %>
0
ZekeLAAuthor Commented:
I appreciate the responses but that doesn't really address the problem for two reasons:

1) Removing the request validation means users could enter truly dangerous requests (such as scripts and tags) which I would have to trap throughout the entire application and hope I did as good a job as .NET has already has built in.

2) This isn't a case where I want to allow the user to enter formatted text and I need to allow html tags. My input value is just "Onw=" which has no dangerous values as far as I can determine. From my viewpoint, this shouldn't be any worse than if the value was "abcd".

My only thought at the moment is that .NET is concerned about the variable itself somehow because I named it with a double underscore or because I duplicated some internal name. I'll try to test that but I'm still looking for a solution.

Thank you.
0
ZekeLAAuthor Commented:
Changing the field's name makes no difference. I tried id="MyHiddenWT" and still got the error. Removing the runat="server" does prevent the error but that just means that .NET only examines server side controls.

I also tried some additional values and found that of the following:
   "Anw=", "Bnw=", "Cnw=", ... "Nnw=", "Onw=", "Pnw=", ... "Znw=",
"Onw=" is the only one that causes the problem. Is the captial O being seen as an octal value somehow?
0
ZekeLAAuthor Commented:
Per another site, the reason is cross site scripting: http://groups.google.com/group/microsoft.public.dotnet.framework.aspnet.security/browse_thread/thread/d91d89511401e979

It's being evaluated as a potential "onSomeEvent = doSomething()" script. Per Mike Kozlowski (http://www.klio.org/mlk/), for easy reference for some future person looking at this thread because they're having the same problem, the XSS validator blocks any string matching (in effect) the following regexes:

script\s*=
[^a-zA-Z]on[a-zA-Z]*\s*=
expression
&#
<[a-zA-Z!]

The last two are impossible with Base64 encoding (which only allows letters, digits, +, /, and =), the first two are impossible if you just do UrlEncode twice in a row (to prevent equal signs from occuring), and the third is vanishingly unlikely in random characters, but if you're concerned about it, you can just replace all "x" characters with "," after the Base64 encoding.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.