Dangers Lurking for Innocent Websites Due to Cross Site ScriptingOften this Cross Site Scripting has been talked during some site updates and been forgotten. Perhaps if you have installed .NET Framework 1.1, then Scripting and HTML tags via QueryStrings or HTML form tags are just stopped by the framework with the message similar to the following one:
A potentially dangerous Request.QueryString value was detected from the client (DocLinkUrl_Begin="javascript:window.opener..."). Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (DocLinkUrl_Begin="javascript:window.opener...").
Of course, the framework gives an option to enable the page being exempt from this HTTP Request Validations. But it is strongly recommended to have the framework validate your requests before they are being processed by our scripts. Is'nt it?
Related Links On Cross Site Scripting:
http://httpd.apache.org/info/css-security/
http://www.cert.org/advisories/CA-2000-02.html