Hidden input field throws a potentially dangerous Request.Form parameter error
In my ASP.NET 1.1 application, I compress and replace the hidden variable Viewstate with an alternative compressed value stored in the hidden __VSTATE field. This works well, but in some cases submitting the page causes a generic "potentially dangerous Request.Form ..." error.
I've looked at the __VSTATE value and nothing seems to be potentially dangerous. I was able to reproduce the error with a completely stripped down version of the page and a __VSTATE value as shown below. An error appears when clicking the submit button. The page works fine if I change the value to "".
<%@ Page Language="vb" AutoEventWireup="false" Codebehind="Dangerous.aspx.vb" Inherits="Dynalabs.Dangerous" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body MS_POSITIONING="FlowLayout">
<form id="Form1" method="post" runat="server">
<input type="hidden" id="__VSTATE" runat="server" value="Onw=" />
<asp:Button ID="btnSubmit" Runat="server" Text="Submit" />
</form>
</body>
</html>
Changing the field name to "MyHiddenWT" made no difference. Removing runat = "server" stopped the error, but that just means .NET is only checking server controls. I also tried some additional values ββand found this:
"Anw=", "Bnw=", "Cnw=", ... "Nnw=", "Onw=", "Pnw=", ... "Znw=",
"Onw =" is the only thing causing the problem. Is the surrender of O as an octal meaning in some way?
Can someone explain why this value is causing the error message? I'm also looking for a solution, but please don't tell me to remove page validation. It's the same as saying that a car with bad brakes can be fixed without driving the car.
Thanks in advance.
source to share
My first guess is that it looks like an onSomething = event declaration. javascript.
A bit strange that only capital O triggers the error, did you also check for lowercase o?
Can you try: "OnClick =", "abc OnClick =", "onclick =", "abc onclick =", "anw =", "bnw =", ...
If "OnSomething = x" javascript is a problem, then just adding another character to your values ββshould do the trick. Maybe just "v".
<input type="hidden" id="__VSTATE" runat="server" value="vOnw=" />
And then on submit, you remove the extra character before decoding.
Or better yet, up to 2.0.
source to share