Server.URLEncode and potentially dangerous string

[veenakj]

Hi

Code snippet
--------------
strErrMsg = "Could not find a part of the path
\"C:\\Temp\\data\\Test.xml\"." }

Server.Transfer("Message.aspx?errormsg=" + Server.UrlEncode(lsErrMsg));
---------------

I'm getting "potentially dangerous Request.Form value was detected
from the client " error message

I browses several sites and found people discuusing abt < and >
characters. But in my above string i do not have any of that
characters.

What is potentially dangerous string in the above string.
What is the solution.
Please let me know

Thanks
Veena

 

[Rob Schieber]

Hi

Code snippet
--------------
strErrMsg = "Could not find a part of the path
\"C:\\Temp\\data\\Test.xml\"." }

Server.Transfer("Message.aspx?errormsg=" + Server.UrlEncode(lsErrMsg));
---------------

I'm getting "potentially dangerous Request.Form value was detected
from the client " error message

I browses several sites and found people discuusing abt < and >
characters. But in my above string i do not have any of that
characters.

What is potentially dangerous string in the above string.
What is the solution.
Please let me know

Thanks
Veena

This is basically a pre-emptive attempt by IIS to prevent cross-site
scripting attacks, buffer-overflows etc... In the past IIS was riddled
with these types of holes. My guess is that the number of backslashes
and periods is causing IIS to think that someone is trying to post
malicious code. You can turn this off by setting
validateRequest="false". For your page.