Thursday, August 26, 2004

Request validation and CMS

A new ASP.NET version 1.1 feature, request validation, prevents the server from accepting content containing un-encoded HTML. This feature is designed to help prevent some script-injection attacks whereby client script code or HTML can be unknowingly submitted to a server, stored, and then presented to other users.

This feature is however not so helpfull when you are using Microsoft Content Management Server, since placeholder controls in CMS actually expect HTML content. To disable this feature in your CMS web application add the following line in your web.config : <pages smartnavigation="false" validaterequest="false" >

No comments: