RE: XML as a WebService parameter
by Steven Cheng[MSFT] on 11/9/2007 3:09:00 AM
------=_NextPart_0001_5C607E96
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Hi Bill,
From your description, you have an ASP.NET webservice (asmx endpoint) which
has a webmethod accepting a XML string parameter, and you'll get validation
error when you call the webservice, correct?
regarding on the webservice, I'd like to confirm the following things:
** The xml parameter of your webmethod is of "String" type, correct?
** How are you consuming the webservice, through the asmx page(via http
post) or through a generated client proxy class?
Generally, for XML webserivice, since its underlying message is encoded via
SOAP XML, therefore, we should not directly pass parameter or return value
of raw XML string content. Here is a former blog article which has
mentioend this:
#Rant: Don't return XML in string variables
http://blogs.msdn.com/mpowell/archive/2004/05/12/130637.aspx
Also, if you do need to pass XML string content, you can consider the
following means:
** manually perform htmlencoding on it so that all the xml content are in
escaped format
** use a CDATA section to wrapper the xmlstring.
Here is a forum thread discussing on this problem too:
#Passing an XML string as part of an XML Web Service
http://forums.asp.net/p/1064300/1631786.aspx#1631786
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
-------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <BillAtWork@nospam.nospam>
Subject: XML as a WebService parameter
Date: Thu, 8 Nov 2007 05:43:01 -0800
Hi,
We recently converted a 1.1 project to 2.0 and this included a webservice
which accepted XML for one of the parameters. Since converting to 2.0 I am
getting the following message:
---
A potentially dangerous Request.Form value was detected from the client
(myparam="<root><blah....").
---
The fix used for ASPX pages is to include the @Page directive with
validateRequest="false" however this does not work for ASMX pages ("The
directive 'Page' is unknown").
Does anyone know of a way to turn this off for webservices?
Thanks!
------=_NextPart_0001_5C607E96
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Bill,
\par
\par From your description, you have an ASP.NET webservice (asmx endpoint) which has a webmethod accepting a XML string parameter, and you'll get validation error when you call the webservice, correct?
\par
\par regarding on the webservice, I'd like to confirm the following things:
\par
\par ** The xml parameter of your webmethod is of "String" type, correct?
\par
\par ** How are you consuming the webservice, through the asmx page(via http post) or through a generated client proxy class?
\par
\par Generally, for XML webserivice, since its underlying message is encoded via SOAP XML, therefore, we should not directly pass parameter or return value of raw XML string content. Here is a former blog article which has mentioend this:
\par
\par #Rant: Don't return XML in string variables
\par http://blogs.msdn.com/mpowell/archive/2004/05/12/130637.aspx
\par
\par Also, if you do need to pass XML string content, you can consider the following means:
\par
\par ** manually perform htmlencoding on it so that all the xml content are in escaped format
\par
\par ** use a CDATA section to wrapper the xmlstring.
\par
\par Here is a forum thread discussing on this problem too:
\par
\par #Passing an XML string as part of an XML Web Service
\par http://forums.asp.net/p/1064300/1631786.aspx#1631786
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par
\par ==================================================
\par
\par Get notification to my posts through email? Please refer to
\par http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
\par ications.
\par
\par
\par
\par Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
\par where an initial response from the community or a Microsoft Support
\par Engineer within 1 business day is acceptable. Please note that each follow
\par up response may take approximately 2 business days as the support
\par professional working with you may need further investigation to reach the
\par most efficient resolution. The offering is not appropriate for situations
\par that require urgent, real-time or phone-based interactions or complex
\par project analysis and dump analysis issues. Issues of this nature are best
\par handled working with a dedicated Microsoft Support Engineer by contacting
\par Microsoft Customer Support Services (CSS) at
\par http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par
\par ==================================================
\par \tab
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par
\par
\par
\par
\par
\par
\par \pard\li720 -------------------
\par From: =?Utf-8?B?QmlsbEF0V29yaw==?= <BillAtWork@nospam.nospam>
\par Subject: XML as a WebService parameter
\par Date: Thu, 8 Nov 2007 05:43:01 -0800
\par
\par Hi,
\par We recently converted a 1.1 project to 2.0 and this included a webservice
\par which accepted XML for one of the parameters. Since converting to 2.0 I am
\par getting the following message:
\par ---
\par A potentially dangerous Request.Form value was detected from the client
\par (myparam="<root><blah....").
\par ---
\par
\par The fix used for ASPX pages is to include the @Page directive with
\par validateRequest="false" however this does not work for ASMX pages ("The
\par directive 'Page' is unknown").
\par
\par Does anyone know of a way to turn this off for webservices?
\par
\par Thanks!
\par
\par \pard
\par
\par }
------=_NextPart_0001_5C607E96--
RE: XML as a WebService parameter
by Steven Cheng[MSFT] on 11/13/2007 11:43:00 AM
------=_NextPart_0001_8167CD87
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Hi Bill,
So are you calling the webservice through http POST or a client proxy
class? BTW, I've tried using a soap client proxy to call webservice and
input some string paramter(contains html markup), it doesn't raise such
exception. Would let me know your client type and the a simple text snippet
that can cause the problem?
So far what I can find is the <pages validateRequest= ... /> setting in
web.config which is a global one for web pages. There is no dedicated
validation setting for webservice asmx endpoint.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: =?Utf-8?B?QmlsbEF0V29yaw==?= <BillAtWork@nospam.nospam>
Subject: RE: XML as a WebService parameter
Date: Mon, 12 Nov 2007 01:05:02 -0800
Hi,
Is it possible to turn off the parameter validation for a webservice? We
could pass in XML as a parameter in 1.1 but not in 2.0. These are all
internal apps and the incoming parameter poses much less of a security risk
than normal.
Thanks.
"BillAtWork" wrote:
> Hi Steven,
> The param is of type "string" and the webservice is called via other .net
> apps (various methods).
>
> We had this working fine under 1.1 and since the apps are all tightly
> controlled, passing in an XML string was acceptable. Is this a
consequence of
> moving to 2.0? Do you know if it can be turned off?
>
> Thanks.
>
> "Steven Cheng[MSFT]" wrote:
>
> > Hi Bill,
> >
> > From your description, you have an ASP.NET webservice (asmx endpoint)
which
> > has a webmethod accepting a XML string parameter, and you'll get
validation
> > error when you call the webservice, correct?
> >
> > regarding on the webservice, I'd like to confirm the following things:
> >
> > ** The xml parameter of your webmethod is of "String" type, correct?
> >
> > ** How are you consuming the webservice, through the asmx page(via http
> > post) or through a generated client proxy class?
> >
> > Generally, for XML webserivice, since its underlying message is encoded
via
> > SOAP XML, therefore, we should not directly pass parameter or return
value
> > of raw XML string content. Here is a former blog article which has
> > mentioend this:
> >
> > #Rant: Don't return XML in string variables
> > http://blogs.msdn.com/mpowell/archive/2004/05/12/130637.aspx
> >
> > Also, if you do need to pass XML string content, you can consider the
> > following means:
> >
> > ** manually perform htmlencoding on it so that all the xml content are
in
> > escaped format
> >
> > ** use a CDATA section to wrapper the xmlstring.
> >
> > Here is a forum thread discussing on this problem too:
> >
> > #Passing an XML string as part of an XML Web Service
> > http://forums.asp.net/p/1064300/1631786.aspx#1631786
> >
> > Sincerely,
> >
> > Steven Cheng
> >
> > Microsoft MSDN Online Support Lead
> >
> >
> >
> > ==================================================
> >
> > Get notification to my posts through email? Please refer to
> >
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
> > ications.
> >
> >
> >
> > Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues
> > where an initial response from the community or a Microsoft Support
> > Engineer within 1 business day is acceptable. Please note that each
follow
> > up response may take approximately 2 business days as the support
> > professional working with you may need further investigation to reach
the
> > most efficient resolution. The offering is not appropriate for
situations
> > that require urgent, real-time or phone-based interactions or complex
> > project analysis and dump analysis issues. Issues of this nature are
best
> > handled working with a dedicated Microsoft Support Engineer by
contacting
> > Microsoft Customer Support Services (CSS) at
> > http://msdn.microsoft.com/subscriptions/support/default.aspx.
> >
> > ==================================================
> >
> >
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> >
> >
> >
> >
> >
> >
> > -------------------
> > From: =?Utf-8?B?QmlsbEF0V29yaw==?= <BillAtWork@nospam.nospam>
> > Subject: XML as a WebService parameter
> > Date: Thu, 8 Nov 2007 05:43:01 -0800
> >
> > Hi,
> > We recently converted a 1.1 project to 2.0 and this included a
webservice
> > which accepted XML for one of the parameters. Since converting to 2.0 I
am
> > getting the following message:
> > ---
> > A potentially dangerous Request.Form value was detected from the client
> > (myparam="<root><blah....").
> > ---
> >
> > The fix used for ASPX pages is to include the @Page directive with
> > validateRequest="false" however this does not work for ASMX pages ("The
> > directive 'Page' is unknown").
> >
> > Does anyone know of a way to turn this off for webservices?
> >
> > Thanks!
> >
> >
------=_NextPart_0001_8167CD87
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Bill,
\par
\par So are you calling the webservice through http POST or a client proxy class? BTW, I've tried using a soap client proxy to call webservice and input some string paramter(contains html markup), it doesn't raise such exception. Would let me know your client type and the a simple text snippet that can cause the problem?
\par
\par So far what I can find is the <pages validateRequest= ... /> setting in web.config which is a global one for web pages. There is no dedicated validation setting for webservice asmx endpoint.
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par \pard\li720 --------------------
\par From: =?Utf-8?B?QmlsbEF0V29yaw==?= <BillAtWork@nospam.nospam>
\par Subject: RE: XML as a WebService parameter
\par Date: Mon, 12 Nov 2007 01:05:02 -0800
\par
\par
\par Hi,
\par Is it possible to turn off the parameter validation for a webservice? We
\par could pass in XML as a parameter in 1.1 but not in 2.0. These are all
\par internal apps and the incoming parameter poses much less of a security risk
\par than normal.
\par
\par Thanks.
\par
\par "BillAtWork" wrote:
\par
\par > Hi Steven,
\par > The param is of type "string" and the webservice is called via other .net
\par > apps (various methods).
\par >
\par > We had this working fine under 1.1 and since the apps are all tightly
\par > controlled, passing in an XML string was acceptable. Is this a consequence of
\par > moving to 2.0? Do you know if it can be turned off?
\par >
\par > Thanks.
\par >
\par > "Steven Cheng[MSFT]" wrote:
\par >
\par > > Hi Bill,
\par > >
\par > > From your description, you have an ASP.NET webservice (asmx endpoint) which
\par > > has a webmethod accepting a XML string parameter, and you'll get validation
\par > > error when you call the webservice, correct?
\par > >
\par > > regarding on the webservice, I'd like to confirm the following things:
\par > >
\par > > ** The xml parameter of your webmethod is of "String" type, correct?
\par > >
\par > > ** How are you consuming the webservice, through the asmx page(via http
\par > > post) or through a generated client proxy class?
\par > >
\par > > Generally, for XML webserivice, since its underlying message is encoded via
\par > > SOAP XML, therefore, we should not directly pass parameter or return value
\par > > of raw XML string content. Here is a former blog article which has
\par > > mentioend this:
\par > >
\par > > #Rant: Don't return XML in string variables
\par > > http://blogs.msdn.com/mpowell/archive/2004/05/12/130637.aspx
\par > >
\par > > Also, if you do need to pass XML string content, you can consider the
\par > > following means:
\par > >
\par > > ** manually perform htmlencoding on it so that all the xml content are in
\par > > escaped format
\par > >
\par > > ** use a CDATA section to wrapper the xmlstring.
\par > >
\par > > Here is a forum thread discussing on this problem too:
\par > >
\par > > #Passing an XML string as part of an XML Web Service
\par > > http://forums.asp.net/p/1064300/1631786.aspx#1631786
\par > >
\par > > Sincerely,
\par > >
\par > > Steven Cheng
\par > >
\par > > Microsoft MSDN Online Support Lead
\par > >
\par > >
\par > >
\par > > ==================================================
\par > >
\par > > Get notification to my posts through email? Please refer to
\par > > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
\par > > ications.
\par > >
\par > >
\par > >
\par > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
\par > > where an initial response from the community or a Microsoft Support
\par > > Engineer within 1 business day is acceptable. Please note that each follow
\par > > up response may take approximately 2 business days as the support
\par > > professional working with you may need further investigation to reach the
\par > > most efficient resolution. The offering is not appropriate for situations
\par > > that require urgent, real-time or phone-based interactions or complex
\par > > project analysis and dump analysis issues. Issues of this nature are best
\par > > handled working with a dedicated Microsoft Support Engineer by contacting
\par > > Microsoft Customer Support Services (CSS) at
\par > > http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par > >
\par > > ==================================================
\par > > \tab
\par > >
\par > > This posting is provided "AS IS" with no warranties, and confers no rights.
\par > >
\par > >
\par > >
\par > >
\par > >
\par > >
\par > >
\par > > -------------------
\par > > From: =?Utf-8?B?QmlsbEF0V29yaw==?= <BillAtWork@nospam.nospam>
\par > > Subject: XML as a WebService parameter
\par > > Date: Thu, 8 Nov 2007 05:43:01 -0800
\par > >
\par > > Hi,
\par > > We recently converted a 1.1 project to 2.0 and this included a webservice
\par > > which accepted XML for one of the parameters. Since converting to 2.0 I am
\par > > getting the following message:
\par > > ---
\par > > A potentially dangerous Request.Form value was detected from the client
\par > > (myparam="<root><blah....").
\par > > ---
\par > >
\par > > The fix used for ASPX pages is to include the @Page directive with
\par > > validateRequest="false" however this does not work for ASMX pages ("The
\par > > directive 'Page' is unknown").
\par > >
\par > > Does anyone know of a way to turn this off for webservices?
\par > >
\par > > Thanks!
\par > >
\par > >
\par \pard
\par
\par }
------=_NextPart_0001_8167CD87--