November Happy Hour will be moved to Thursday December 5th.

AI OnAI Off

Error exception when adding nodeid containing angle brackets (<>)

Fixed in

EPiServer Live Monitor 8.4.1

(Or a related package)

Created

May 20, 2016

Updated

May 29, 2017

State

Closed, Fixed and tested

Description

Steps to reproduce

  1. Install Live Monitor (LiMo) on CMS/Commerce.
  2. Open CMS > LiMo page.
  3. Customize URL: http://site/EPiServer/EPiServer.LiveMonitor/Monitor?nodeids=<test>

Actual: error exception:
A potentially dangerous Request.QueryString value was detected from the client (nodeids="<test>").
Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (nodeids="<test>").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the client (nodeids="<test>").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9809768
System.Web.<>c_DisplayClass280_0.<ValidateHttpValueCollection>b_0(String key, String value) +22
System.Web.HttpValueCollection.EnsureKeyValidated(String key) +9807765
System.Web.HttpValueCollection.GetValues(String name) +17
System.Web.Mvc.ValueProviderResultPlaceholder.GetResultFromCollection(String key, NameValueCollection collection, CultureInfo culture) +20
System.Web.Mvc.NameValueCollectionValueProvider.GetValue(String key, Boolean skipValidation) +106
System.Web.Mvc.ValueProviderCollection.GetValue(String key, Boolean skipValidation) +89
System.Web.Mvc.DefaultModelBinder.BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext) +264
System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) +331
System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) +105
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +522
System.Web.Mvc.Controller.ExecuteCore() +98
System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +181
System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +10
EPiServer.Shell.Web.Mvc.ModuleMvcHandler.ProcessController(IController controller) +40
EPiServer.Shell.Web.Mvc.ModuleMvcHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object state) +24
System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContext httpContext, AsyncCallback callback, Object state) +48
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) +16
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +103
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155