HttpRequestValidationException showing YSOD despite customErrors section

StackOverflow https://stackoverflow.com/questions/3813899

Question

we've modified our customErrors section to protect against the recent ASP.NET vulnerability.

Our problem is, that HttpRequestValidationException's are now causing a YSOD's to be shown, other exceptions and page not found errors are showing our custom error page.

If we change the redirectMode to ResponseRedirect everything works fine.

This is our modified section:

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Error.aspx"/>

This question has nothing to do with the recent ASP.NET vulnerability!It's about the ResponseRewrite redirectMode in combination with HttpRequestValidationException's. We know there will soon be a patch and that we could change back to ResponseRedirect.

Kind regards, Martin

Was it helpful?

Solution

This happens when your error page generates an error.

Make sure you turn off request validation on your error page. <%@ Page ValidateRequest="false" %>

You then of course need to encode any user input that displays on your error page. eg. Server.HtmlEncode(ex.Message)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top