Description

ASP.NET implements various algorithms for securing ASP.NET websites against potentially malicious user requests, for example, by rejecting requests that contain characters susceptible to be used in XSS attacks, suspiciously long request paths, and so on.

When potentially malicious requests hit a Sitecore website, they might result in different errors either shown to the website visitor or written to Sitecore log files.

In certain situations such request validation might, however, cause normal pages not to load as expected. This article describes different errors caused by ASP.NET request validation and provides information on how to analyze and address them appropriately.

You can read more about the request validation in the MSDN article.

Scenario 1

Error message:

When website visitors submit form values that can be treated as HTML markup, the following error might appear in the log files and might be displayed to users (starting from Sitecore 7.1 Update-2):

ERROR A potentially dangerous Request.Form value was detected from the client (...).
Exception: System.Web.HttpRequestValidationException
Message: A potentially dangerous Request.Form value was detected from the client (...).
Source: System.Web
   at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.get_Form()
   ...

Solution:

• If you're experiencing this issue when using the Sitecore Client, perform the following steps:
  1. Add the requestValidationMode="2.0" attribute to the httpRuntime node in the Web.config file.

     <httpRuntime ... requestValidationMode="2.0"/>

  2. Ensure that the validateRequest attribute of the page node in Web.config is set to false.

     <page ... validateRequest="false"/>

  This disables the request validation by default. However, we recommend enabling it for website pages by setting the ValidateRequest attribute of the Page directive to true on each page:

  <%@ Page ... ValidateRequest="true" %>

• If you want to disable request validation for the website or for a specific page, follow the steps described in the previously-mentioned MSDN article.
  In this case, ensure that you html-encode input values before saving them to the database or outputting on the pages.
  Note: the validateRequest attribute of the page node in Web.config is set to false by default. It must not be modified if you want to use the Sitecore Client.

Scenario 2

Error message:

When the requested URL contains invalid characters, the following error might appear:

ERROR Application error.
Exception: System.Web.HttpException
Message: A potentially dangerous Request.Path value was detected from the client (&).
Source: System.Web
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Solution:

• Follow these steps to verify that the links you render on the pages do not contain the invalid characters mentioned in the error message:
  1. For the links rendered using the Sitecore API, ensure that the encodeNameReplacements block in the Web.config file contains the appropriate record:
     <replace mode="on" find="INVALID CHARACTER" replaceWith="REPLACING CHARACTER" />
  2. For the links generated by custom code, manually verify that they do not contain these characters and their encoded counterparts.
     For encoding reference, see the following article: https://www.w3schools.com/tags/ref_urlencode.asp
• In case you do want to use these characters in the path, add the requestPathInvalidCharacters attribute to the httpRuntime node in the Web.config file as follows:
  

  <httpRuntime ... requestPathInvalidCharacters="&lt;,&gt;,*,%,&amp;,:,\,?"/>

  Then exclude particular characters from this list.
• To disable the validation for the website or for a specific page, follow the steps described in the above-mentioned MSDN article.
  Note: the validateRequest attribute of the page node in Web.config is set to false by default. It must not be modified if you want to use the Sitecore Client.

Scenario 3

Error message:

When the length of the requested URL exceeds the predefined value, the following error might appear:

ERROR Application error.
Exception: System.Web.HttpException
Message: The length of the URL for this request exceeds the configured maxUrlLength value.
Source: System.Web
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Solution:

• Increase the maxUrlLength attribute value of the httpRuntime node in the Web.config file. In case the value for this attribute is not specified, the default one (260) is used.

Scenario 4

Error message:

When the query string length of the request exceeds the predefined value, the following error might appear:

ERROR Application error.
Exception: System.Web.HttpException
Message: The length of the query string for this request exceeds the configured maxQueryStringLength value.
Source: System.Web
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Solution:

• Increase the maxQueryStringLength attribute value of the httpRuntime node in the Web.config file. In case the value for this attribute is not specified, the default one (2048) is used.

Scenario 5

Error message:

When the path of the requested URL does not match the rules for a valid Windows file path, the following error might appear:

ERROR Application error.
Exception: System.Web.HttpException
Message: 
Source: System.Web
at System.Web.CachedPathData.ValidatePath(String physicalPath)
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Solution:

• Get acquainted with the rules in the MSDN article and eliminate the cause of the error. The most probable cause of the issue is an extra space at the end of the URL. You must remove the space.
  Known problematic URLs might be found in the following items:
  1. database: master, item: /sitecore/templates/System/Layout/Renderings/Webcontrol, section: Appearance, field: Icon;
  2. database: core, item: /sitecore/content/Applications/Content Editor/Menues/Archive/Archive Item Now, section: Appearance, field: Icon;
  3. database: core, item: /sitecore/content/Applications/Content Editor/Menues/Archive/Archive Version Now, section: Appearance, field: Icon.
• Disable Windows file path validation by setting the relaxedUrlToFileSystemMapping attribute of the httpRuntime node in Web.config to true.