asp.netsecuritywebrequestdangerous-request
Unable to pass '<' in URL as parameter
Why am I unable to pass '<' character as a parameter in the URL? If I do:
http://localhost:9566/?myVar=2 that is ok
But I cannot do:
http://localhost:9566/?myVar=<foo> Why does this give me an error?
When I URL-encode <foo> I get %3Cfoo%3E.
And when I do http://localhost:9566/?myVar=%3Cfoo%3E, I still get the same error:
Solution
This is by design. The characters you are trying to pass could potentially be used in a Cross Site Scripting (XSS) attack.
Here are a few links to get you started on understanding what XSS is:
- https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
- http://www.cgisecurity.com/xss-faq.html
While you can disable this type of validation I would not recommend it. Do you really need to pass a tag in a query string parameter?
- Docker Compose - Ocelot Api GetWay - Call API
- How to send multipart/form-data to ASP.NET Core Web API?
- How to suppress c# compiler warning in a razor file?
- Validation with data annotations does not work
- How can I disable the Yellow Highlighting of @ in Blazor Visual Studio?
- ASP .NET Singleton
- Using Fetch in JS to call a server-side method (ASP.NET)
- How to retrieve a lot of data in my asp .NET app efficiently?
- How to get a username while on a server
- Why is my ASP.NET application throwing a ThreadAbortException?
- File is not found in docker
- How to change the IIS Express development port on a WebForms project in VS2022
- Blazor MFA Login using Entra - Setting Session Length
- How to pass js function argument to inline c# in cshtml?
- EventListener not being removed
- Minimal API or AccountController for Login with ASP.NET Core Identity?
- Using domain driven design entities in an ASP.Net application
- NuGet Package Including DACPAC SQLProj
- How to compare different types of objects
- Variable not returning actual values
- SMTP server can't send emails from hosting c# asp.net
- How to compile 64bit asp.net web site with visual studio?
- Get url without querystring
- Fancybox not showing streamed image correctly
- Continously Publish Matlab Text Output to a Website
- Is there a way to get different values from a single radiobuttonlist field used in ASP:Gridview
- Can aspx grid binding be done after response.redirect?
- Why do I get a "Field is Required" error from my API even tough the query parameter is optional?
- Failed to convert parameter value from a String to a Byte[]
- GetAwait().GetResult causes potential threading problems