Text input like HTML <tag> causes "There was an error"

markdomansky / WebJEA

WebJEA - Secure Self Service Web Forms from PowerShell Scripts

GNU General Public License v3.0

236 stars 27 forks source link

Text input like HTML <tag> causes "There was an error" #84

Closed AustinRozendaal closed 2 years ago

AustinRozendaal commented 2 years ago

If a script is submitted with something resembling an HTML tag in a text input, the script does not run and error.aspx is shown.

Error on input:
- <script>
- <a>
- <asdfasdfasdf>
- </>

No error on input:
- <>
- < >
- <1234>
- <  a>

AustinRozendaal commented 2 years ago

On further experimentation, it turns out inputs like <a and </ are enough to break it.

AustinRozendaal commented 2 years ago

Should have checked the ASP.NET logs - I didn't know that IIS blocks potentially dangerous form requests by default. After adding <httpRuntime requestValidationMode="2.0" /> to Web.config and adding ValidateRequest="false" to the attributes in the Page directive at the top of default.aspx, I am able to submit with no errors.

markdomansky commented 1 year ago

This is an ASP.NET security feature. disabling it is not recommended though.