Search code examples
asp.netsecurityscriptresource.axdaxd

Hyphens in .axd path

I pushed a website live for a client tonight using Infragistics web controls and we're having an issue where the path to the associated AXD files contain a double hyphen. This results in the clients' firewall program blocking access to the files since it perceives the double hyphen as a SQL injection attack.

Can anyone provide some ideas as to how to proceed?

Thanks.

Solution

  • For others who might experience this problem: so what I ended up doing was to modify the configuration of the Infragistics ScriptManager to combine the scripts into one large script file by default as follows:

    <ig:WebScriptManager runat="server" ID="igScriptManager" CompositeScript-ScriptMode="Release" CompositeScript-Path="InfragisticsCombined.js">
<CompositeScript>
<Scripts>
<asp:ScriptReference name="Infragistics.Web.UI.Scripts.0_igControlMain.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.Scripts.2_igCollections.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.Scripts.3_igUIBehaviors.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.Scripts.4_igEnums.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.Scripts.5_igObjects.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.Scripts.7_igClientStateManager.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.Scripts.8_igCallback.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.Scripts.9_igPropertyManagers.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.Scripts.1_igControlMainClientBinding.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.Scripts.6_igObjectsClientBinding.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.SharedScripts.igAnimation.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.EditorControls.WebTextEditor.js.igTextEditor.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.EditorControls.WebMonthCalendar.js.igCalendar.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.GridControls.WebDataGrid.js.igWebDataGridBase.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.GridControls.WebDataGrid.js.igWebDataGrid.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.GridControls.WebDataGrid.js.igWebDataGridPaging.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.GridControls.WebDataGrid.js.igWebDataGridSorting.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.SharedScripts.igDragDrop.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.GridControls.WebHierarchicalDataGrid.js.igWebHierarchicalDataGrid.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.SharedScripts.igLayoutPane.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.LayoutControls.WebTab.js.igTab.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.GridControls.WebDataGrid.js.igWebDataGridSummaryRow.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Infragistics.Web.UI.SharedScripts.igDropDown.js" assembly="Infragistics4.Web.v12.1, Version=12.1.20121.2020, Culture=neutral, PublicKeyToken=7dd5c3163f2cd0cb"/>
<asp:ScriptReference name="Common.Common.js" assembly="AjaxControlToolkit, Version=4.1.51116.0, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e"/>
<asp:ScriptReference name="ExtenderBase.BaseScripts.js" assembly="AjaxControlToolkit, Version=4.1.51116.0, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e"/>
<asp:ScriptReference name="PasswordStrength.PasswordStrengthExtenderBehavior.js" assembly="AjaxControlToolkit, Version=4.1.51116.0, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e"/>
</Scripts>
</CompositeScript>
</ig:WebScriptManager>

    The ScriptReference tags tells the ScriptManager which scripts to include in the combined file. The CompositeScript-Path parameter gives it a consistent name so that "dangerous" characters are explicitly avoided.

    A good writeup as to how to figure out the javascript file names to include in the list are be found at http://community.infragistics.com/aspnet/articles/understanding-script-combining.aspx.

    Also, I didn't try it out but the impression I got while researching this issue was that a similar process is available with the AjaxToolkit ScriptManager after ASP.NET 3.5.