ASP Net Core 8.0-A potentially dangerous Request.QueryString value was detected from the client

Liangjun Hu 0 Reputation points Microsoft Employee
2024-07-02T08:15:51.9333333+00:00

Hi,

I hit the issue "A potentially dangerous Request.QueryString value was detected from the client (filter="...dList eq '<bZFZ0B4I...")" . My project is netcore 8.0,and it's stand-alone executable. I found that the solution(requestValidationMode change) for resolve the dangerous request issue for asp net framework. But it's not applied to asp net core. So, anyone know how to resolve the dangerous request exception in asp net core project? The details about the case:
The dangerous string '<>' must be used, and i found if the http request contain '<' with number, like '<2XXX...', it won't be considered as dangerous request, but if there is "<AXXX..." with letter, it will be trated as dangerous request.

(From the official doc, requestValidationMode is only applied for net framework.https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.requestvalidationmode?view=netframework-4.8.1)

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,393 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Brando Zhang-MSFT 3,446 Reputation points Microsoft Vendor
    2024-07-03T02:21:03.5833333+00:00

    Hi @Liangjun Hu,

    The asp.net core built-in validation doesn't automatically reject the requests containing potentially dangerous content in the query string. For your issue, I guess you have some specific custom middleware which contains the validation.

    To solve this issue, I suggest you could consider creating a custom middleware to use the htmlencode method to encode the query to avoid the validation.

    More details, you could refer to below codes:

    Create a middleware and put it at first like below:

    ...
    var app = builder.Build();
    
    app.Use(async (context, next) =>
    
    {
    
        var query = context.Request.QueryString;
    
        var encodestring = System.Web.HttpUtility.HtmlEncode(query);
    
        context.Request.QueryString = new QueryString($"{encodestring}");
    
         await next(context);
    
    });
    ...
    

    Result:

    User's image


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

     

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.