You are viewing limited content. For full access, please sign in.

Question

Question

Forms Text Fields: A potentially dangerous request.form value was detected

Forms
Updated March 24, 2017
asked on March 30, 2015

We have recently discovered that certain types of special characters cannot be typed in to Forms "text" fields. There is no validation on the fields by default that prevents these character combinations - instead, the user fills out the entire form and after submitting the Form is told there was a Forms error. It is only in the event viewer that we find out what the issue is.

Apparently you cannot have any combination of the "<" character with a letter, & or ! after it in a field in Forms.

There may be other restricted character combinations that are not readily apparent. Has anyone discovered additional types?

Is there some Javascript I could drop in on every form that would globally restrict these character types and pop up a message box or something that warns you not to enter these character combos if you enter one?

To Laserfiche: I understand this is a security feature, but it would probably be best to move the validation up to before the Form is submitted, rather than waiting for the user to spend time submitting the form. only to lose it all after submission.

See also: https://answers.laserfiche.com/questions/48605/Signatures-A-potentially-dangerous-RequestForm-value-was-detected

0 0

Replies

replied on March 30, 2015

There are variety of ways you can go about this. Below is some "quick and dirty" custom validation code that will disable the Submit button if it detects any illegal character combinations in any of the input fields. It should work on any form:

$(document).ready(function() {
    var illegalChars = ["<!", "<&", "<a", "<b", "<c", "<d", "<e", "<f", "<g",
                        "<h", "<i", "<j", "<k", "<l", "<m", "<n", "<o", "<p",
                        "<q", "<r", "<s", "<t", "<u", "<v", "<w", "<x", "<z"];
    $(".cf-field > input").on("blur", function() {
        var disabled = false;
        $(".cf-field > input").each(function() {
        	for(var i = 0; i < illegalChars.length; i++) {
                if ($(this).val().toLowerCase().indexOf(illegalChars[i]) >= 0) {
                    disabled = true;
                }
            }
        });
        $(".Submit").prop("disabled", disabled);
    });    
});

You can extend it further by displaying pop-ups or alert messages (so the users don't get confused as to why the submit button is not working, for example).

A simpler option would be to not allow the user to enter the "<" character into the fields, since that seems to be the main culprit. If that is acceptable, you can use this code:

$(document).ready(function() {
  $('input').keydown(function(e) {
      if (e.which == 188 && e.shiftKey == true) { // 188 + Shift is <
          e.preventDefault();
      }
  });
});

Note that I gave these scripts only some cursory testing. I can't promise how they will hold up in a production setting.

0 0
replied on March 24, 2017

Thanks for all the great information, Ege!!  Do you  have any ideas on how to prevent a user from entering a line break in multi-valued field?  The field is used to create folder names and a line break will cause the form not to be saved in Laserfiche.

1 0
replied on April 1, 2015

Thanks, Ege!

0 0
replied on May 31, 2015 Show version history

Hi Ege,

if client side Java is being used to prevent certain character from being entered, then couldn't those characters be easily entered using something like Greasemonkey just be used to get around javascript checks? What if the attack was scripted and didn't use a browser?

Just spitballin' here. I'm no security expert.

-Ben

0 1
replied on May 31, 2015

I doubt this is a security feature. I do my development in Rails though, so I don't know how it works behind the scenes with ASP.NET MVC.

Regardless, I don't recommend trying to bypass this with clever hacks. :)

replied on May 31, 2015 Show version history

The validation in question happens server-side. It's actually a feature of ASP.NET. You can read more about it here.

The JavaScript snippet I provided is more of a usability feature. It's probably better to prevent those characters from being entered in the first place so that the user doesn't get an error upon submission and end up having to go back and fill the whole thing again. Yes, it is possible to get around it (e.g. if JS is disabled) but the user will still get the same error when they submit.

2 0
replied on May 31, 2015

Thanks for the info, Ege.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...