I used a new domain. When I set only html pages than site running correct.
But when I use web.config and aspx page then site give an error.
Error is : HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid.
You may first check whether web.config is well-formed, next you may change customError's mode to off like the following snippet
<customErrors mode="off" />
The above would reveal any error details related to your aspx or code-behind.
Related
Asp.Net MVC application
When user tries to submit HTML or JavaScript code in query string of action method , getting Internal server error(500) with below exception..
A potentially dangerous Request.QueryString value was detected from the client (userid="'"-->..script..").
I have enabled the custom error mode so that end user is redirecting the custom error page for any XSS attacks.
But when I run NETSPARKER ENTERPRISE SCAN against action method with javascript code in query string , report coming as Internal server error - The server responded with an HTTP status 500.
What is the best practice to handle this internal server issue.
Suggestion: Custom Error handler
I am not sure about best practice, but what I use is <customErrors> in the web.config to redirect the user to a "nice" web page. The page it redirects to can be a plain HTML, ASPX etc. The nice thing is that you can setup a default custom error page, plus individual ones based on HTTP Status Code.
Follows is a snippet from my web.config for a default error code handler, plus one for HTTP 500 (Internal Server Error) which is what you are getting for the A potentially dangerous Request.QueryString value was detected error:
<customErrors mode="On" redirectMode="ResponseRedirect" defaultRedirect="~/dangitall.html">
<error statusCode="500" redirect="~/dangitall500.html" />
</customErrors>
dangitall.html is a standard HTML page for all error. Its overridden by dangitall500.html which will display for HTTP 500 errors. The contents of these HTML pages can be whatever you want: warn the user, abuse the user etc :)
Follows is a link to the Microsoft tech article regarding custom errors and all of the possible attribute settings etc:
https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.customerror?view=netframework-4.8
Ive added custom error pages to my project, and referenced them in the web.config like so:
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/Errors/500.aspx">
<error statusCode="404" redirect="~/Errors/404.aspx" />
<error statusCode="500" redirect="~/Errors/500.aspx" />
</customErrors>
When I browse to a page that does not exist I see the 404 page rendered as expected.
However, I now have a bug in the following POST controller method:
CheckRenewalEligibility(string uprn);
When I click the button which invokes this, nothing happens. When I open dev tools in chrome I can see:
And then when I click on the red highlighted CheckRenewalEligibility to see the Preview, it displays my custom error page.
My question is, why is this not being rendered in the front end when a 500 error is clearly occurring, why is it just doing nothing.
note I have an aspx and html version of both custom error pages sat in the Errors path.
The issue you are having is because you do your request via AJAX. In these cases in server side errors, error pages are rendered, but never displayed to a user - that is the nature of AJAX.
Since you have not indicated the way you do your AJAX execution, I'll presume you are using popular jQuery. For ajax requests via jQuery have a look on this answer - explains how to capture server-side errors.
So I have a web page written in C# for ASP.NET and in some cases it returns a custom error.
For example, at one point it can be like:
Response.StatusCode = 400;
Response.Status = "A long custom error message here.";
Response.Write(Resonse.Status);
and when I open this up locally (through http://mymachinename/foo/bar.aspx) I see my custom error message. When I deploy it to a remote server I just see my custom error message overwritten with the text "Bad Request" (that's all). It must be some configuration, but I can't find it.
Check to see if you have the httpErrors attribute defined in your web.config.
<system.webServer>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
Servers can have their own configuration files with error codes like you mentioned. For example, editing the .htaccess file on an apache server will allow you to link your own error pages to the exceptions, or you can just write in the markup yourself to save some time.
Update
You can also do
Response.TrySkipIisCustomErrors
if you are using IIS that is.
Additional Info
http://blogs.iis.net/ksingla/archive/2008/02/18/what-to-expect-from-iis7-custom-error-module.aspx
Those solutions provided by other guys are perfectly valid, But I think you can control it from you IIS Manager too, if there is a defined error page with code 400, Open your IIS Manager, go to .Net Error Pages, look for error code 400 click on edit feature setting on the right panel then select Off in the opened Edit Error Page Setting window.
Hi
I got this error when I was redirecting to other page in asp.net as follows :
"Firefox has detected that the server is redirecting the request for this address in a way that will never complete."
What exactly does this error mean?
Thank You.
Theres a high chance that whatever page you are redirecting to, is redirecting itself in such a way that you get a "redirection loop" that will never reach completion.
I find this is most common when an exception handler Response.Redirect()'s to an error page which itself causes an exception. Therefore the browser just gets a bunch of HTTP 3xx responses for each page it requests and reports the error you're describing (whereas IE will just carry on regardless).
What it means is that your Response.Redirect() sequence keeps sending redirects to the client where it is volleying between two pages which redirect to each other. At least that's what Firefox is inferring. Post some of your code and we may be able to find out exactly what is going on.
this error occurs when you have the response.redirect in the infinity loop.
For example you have two pages default1.aspx and other is default2.aspx
and defautl1.aspx redirects to default1.aspx and same is done by default2.aspx, which redirects to default1.aspx.
this is the state.
In your case under such specific condition if condition this might be behacing in such a manner and this condition might have occured.
Please check your code.
The problem in my case was that I had two nested web.config files as follows:
path: root\folder1\
<deny users="*"/>
path: root\folder1\folder2\
<deny users="?"/>
I deleted that part of the config file in folder2 and the problem was corrected
Thanks
When I try and run a forum page:
System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client
In my web.config I have:
<pages validateRequest="false" smartNavigation="false">
And on the actual page I also have:
<%# Page Language="C#" AutoEventWireup="true" ValidateRequest="false" MasterPageFile="~/MasterPages/Main.master" %>
But it keeps throwing this error!
Edit
I fixed it with:
<httpRuntime requestValidationMode="2.0" />
But what's that do and why does it work?
This error occurs because something in the submitted form, or in the querystring, looked dangerous to the validation in ASP.NET.
By adding
<httpRuntime requestValidationMode="2.0" />
you are relaxing the validation that is applied back to the standards of ASP.NET 2.
I would say you are far better off trying to work out exactly what it objects to in your form/querystring than just relaxing the validation. This tightened validation is there to protect you and your users, and shouldn't be relaxed lightly.
I have recently hit this on a project I am working on when we upgraded to ASP.NET MVC3 (from version 2). In our case it actually highlighted an issue whereby we were urlencoding our querystring when we didn't mean to (i.e. the entire quertstring including the question mark and the ampersands was all getting url encoded when it shouldn't be).
Whatever your reason, look for the root cause rather than relax the validation if it is at all possible.
There was probably markup in the submitted text. http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes
The request validation feature in
ASP.NET provides a certain level of
default protection against cross-site
scripting (XSS) attacks. In previous
versions of ASP.NET, request
validation was enabled by default.
However, it applied only to ASP.NET
pages (.aspx files and their class
files) and only when those pages were
executing.
In ASP.NET 4, by default, request
validation is enabled for all
requests, because it is enabled before
the BeginRequest phase of an HTTP
request. As a result, request
validation applies to requests for all
ASP.NET resources, not just .aspx page
requests. This includes requests such
as Web service calls and custom HTTP
handlers. Request validation is also
active when custom HTTP modules are
reading the contents of an HTTP
request.
As a result, request validation errors
might now occur for requests that
previously did not trigger errors. To
revert to the behavior of the ASP.NET
2.0 request validation feature, add the following setting in the
Web.config file:
<httpRuntime requestValidationMode="2.0" />