ServiceDesk

 View Only
Back to discussions
Expand all | Collapse all

HTML in Incident Description causes Application Error when resolving

  • 1.  HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 11:24 AM

    We have a custom workflow that creates an incident with a description that contains HTML.  When we try to resolve the incident, we get an Application Error.  We have to remove the HTML from the description and then we can resolve.  So I'm trying to figure out where the problem lies - in the workflow that creates the ticket or in the workflow that resolves it.  The custom workflow uses the "Merge HTML" component.  Why is that component available if it's going to break the process further down the line?



  • 2.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 11:34 AM

    What is the specific error in the Log Viewer?



  • 3.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 11:42 AM

    Here is the log entry:

    Application Name : SD.IncidentManagementSimple
    Process ID : 4588
    Date :1/14/2015 8:06:35 AM
    Log Level :Error
    Log Category :System.Web.HttpApplication
    Machine Name : ***
    Message :
    System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (l14b="<HTML><HEAD></HEAD>
    ...").
       at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
       at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
       at System.Web.HttpRequest.get_Form()
       at System.Web.HttpRequest.get_HasForm()
       at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
       at System.Web.UI.Page.DeterminePostBackMode()
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
       at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
       at System.Web.UI.Page.ProcessRequest()
       at System.Web.UI.Page.ProcessRequest(HttpContext context)
       at ASP.form_aspx.ProcessRequest(HttpContext context)
       at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)



  • 4.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 11:45 AM

    Check this post:

    https://www-secure.symantec.com/connect/forums/potentially-dangerous-requestform-value-was-detected-client

    Sounds like it may apply to your case.



  • 5.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 11:48 AM

    Also, this solution by Aryanos may be preferable.

    https://www-secure.symantec.com/connect/forums/html-tag-singlemultiline-text-box-causes-error



  • 6.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 02:04 PM

    Thanks.  Not sure what he means by "sanitizing" the input...?  Again, I'm confused as to why the Merge HTML component exists if it causes issues.



  • 7.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 02:19 PM

    "Sanitizing" is a programmer's term for correcting/stripping "bad" characters from an input... in this case, it would be anything resembling HTML tags (<HEAD>, <BODY>, etc.)



  • 8.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 02:30 PM

    Why do you believe the Merge HTML component is causing issues?  Typically this exception is thrown when an HTML-coded string is entered into an input element on a form, such as a TextBox or a Multiline TextBox.  Having a Merge HTML component simply allows you to HTML-format your content ("HTML Merge" is what I assume you're talking about (the form component); it allows you to input or merge HTML code to display HTML elements/formatting on your form); it isn't doing much else, and it isn't a form input component.  

    http://www.symantec.com/connect/articles/html-merge

    http://www.symantec.com/connect/articles/merge-html

    This security obstacle isn't unique to Workflow.

    http://stackoverflow.com/questions/25868870/asp-net-potentially-dangerous-request-form-value-was-detected-from-the-client

    http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client

    http://www.codeproject.com/Tips/297679/A-potentially-dangerous-Request-Form-value-was-det

    You can reproduce this error by building a workflow with a Form Builder component.  Inside that form, place a button and a TextBox.  Connect the lines from start and end and debug the project.

    Type

    <span>

     into the TextBox and click the button to attempt to exit the form.  When the form attempts to post the data, the error should occur.  

    You can get around this issue by doing what Aryanos said in his post, linked above, by using an HTMLEditor component and hiding the toolbars, then convert the HTML to text.



  • 9.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 02:41 PM

    reecardo is correct - but the challenge with sanitizing is that if you disregard the context, you'll strip values from what is actually a valid string.  let's say that my incident description is this:

    "I need a technician to come work on my computer anytime <16:00 tomorrow."

    So building a sanitizing model will take more effort than just saying "that character is bad in some contexts, so if it contains that character, strip it out".

    Otherwise someone shows up to repair my computer at 16:00, when I'm walking out the door.  The problem is that <16:00 is valid (and will not throw an error).

    The error is thrown when the server believes "code" such as javascript or html is being passed in.  So in order to sanitize your forms, you'll need to account for any script that will throw the error.

    <(any a-z character)  
<!  
</
<?
&#

    http://stackoverflow.com/questions/11370415/how-to-check-if-string-will-fire-a-potentially-dangerous-request-form-value-was

    You'll also need to sanitize the string BEFORE the page posts - so with javascript or an embedded model of some kind.



  • 10.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 04:01 PM

    Pardon my ignorance as I'm a newbie to Workflow.  Sounds like the author of our custom workflow neglected to include the appropriate steps to prevent the error when resolving.  Thanks for your help.



  • 11.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 14, 2015 04:32 PM

    Reading back on my response, I could have worded that better, causing less confusion and sounding somewhat less brusque.  So if anyone needs a pardon, it's probably me.

    I imagine any of my projects would likely throw this same exception; I haven't taken the time to create a portable sanitation model yet.  I have, however, used the validateRequest="false" adjustment in the past, and that does prevent the exception from occurring.

    If the information here doesn't get your problem resolved, I'm happy to give it another shot.



  • 12.  RE: HTML in Incident Description causes Application Error when resolving

    Posted Jan 15, 2015 09:05 AM

    For what it's worth, you can find some examples of ways to sanitize the input in the email monitor project. I believe it's in the primary model (before it's sent to the process message model). There's a couple components used for it, if I recall correctly. One is a workflow component and the other is a code script component that uses some C#.