IIS error when HTML elements are included in the address bar

TeamMentor / TM_4_0_Design

Repo Holds TM 4.x issues

4 stars 3 forks source link

IIS error when HTML elements are included in the address bar #677

Open DinisCruz opened 9 years ago

DinisCruz commented 9 years ago

On IIS, this request: http://beta.teammentor.net/show/-6234f2d47eb7,%3Ch1%3Equery%3C/h1%3E-1a265c6dffd1,query-09ffeb0d1570/ (ie. /show/-6234f2d47eb7,<h1>query</h1>-1a265c6dffd1,query-09ffeb0d1570/) will throw an IIS error.

that doesn't work when running directly on node (at http://localhost:1337/show/-6234f2d47eb7,%3Ch1%3Equery%3C%3E-1a265c6dffd1,query-09ffeb0d1570/):

I think this is caused by IIS anti-xss validation methods that throw an error on ( < and > )

romichg commented 9 years ago

Hmm... interesting. Taking a look on how to turn this off.

romichg commented 9 years ago

This was fixed with

<system.web>
    <httpRuntime requestPathInvalidCharacters="%,&amp;,:,\,?" />
</system.web>

Note, that %,&,:,\,? are characters that will still produce the error.

DinisCruz commented 9 years ago

yap, looks fixed

Note, that %,&,:,\,? are characters that will still produce the error.

yeas, sending

http://beta.teammentor.net/show/-6234f2d47eb7,%3Ch1%3Equery%3C/h1%3E-1a26%5c6dffd1,query-09ffeb0d1570%,&,:,/,?

will return

which I think is ok

@tekgirl77 or @michaelhidalgo can you write a unit test that checks both scenarios on the beta.teammentor.net server. This test should be on a separate folder and test (since it will be part of the tests that we will run against the live server (to make sure it is all good))