RE: XML as a WebService parameter
- From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng[MSFT])
- Date: Tue, 13 Nov 2007 11:42:52 GMT
{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Hi Bill,
\par
\par So are you calling the webservice through http POST or a client proxy class? BTW, I've tried using a soap client proxy to call webservice and input some string paramter(contains html markup), it doesn't raise such exception. Would let me know your client type and the a simple text snippet that can cause the problem?
\par
\par So far what I can find is the <pages validateRequest= ... /> setting in web.config which is a global one for web pages. There is no dedicated validation setting for webservice asmx endpoint.
\par
\par Sincerely,
\par
\par Steven Cheng
\par
\par Microsoft MSDN Online Support Lead
\par
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par \pard\li720 --------------------
\par From: =?Utf-8?B?QmlsbEF0V29yaw==?= <BillAtWork@xxxxxxxxxxxxx>
\par Subject: RE: XML as a WebService parameter
\par Date: Mon, 12 Nov 2007 01:05:02 -0800
\par
\par
\par Hi,
\par Is it possible to turn off the parameter validation for a webservice? We
\par could pass in XML as a parameter in 1.1 but not in 2.0. These are all
\par internal apps and the incoming parameter poses much less of a security risk
\par than normal.
\par
\par Thanks.
\par
\par "BillAtWork" wrote:
\par
\par > Hi Steven,
\par > The param is of type "string" and the webservice is called via other .net
\par > apps (various methods).
\par >
\par > We had this working fine under 1.1 and since the apps are all tightly
\par > controlled, passing in an XML string was acceptable. Is this a consequence of
\par > moving to 2.0? Do you know if it can be turned off?
\par >
\par > Thanks.
\par >
\par > "Steven Cheng[MSFT]" wrote:
\par >
\par > > Hi Bill,
\par > >
\par > > From your description, you have an ASP.NET webservice (asmx endpoint) which
\par > > has a webmethod accepting a XML string parameter, and you'll get validation
\par > > error when you call the webservice, correct?
\par > >
\par > > regarding on the webservice, I'd like to confirm the following things:
\par > >
\par > > ** The xml parameter of your webmethod is of "String" type, correct?
\par > >
\par > > ** How are you consuming the webservice, through the asmx page(via http
\par > > post) or through a generated client proxy class?
\par > >
\par > > Generally, for XML webserivice, since its underlying message is encoded via
\par > > SOAP XML, therefore, we should not directly pass parameter or return value
\par > > of raw XML string content. Here is a former blog article which has
\par > > mentioend this:
\par > >
\par > > #Rant: Don't return XML in string variables
\par > > http://blogs.msdn.com/mpowell/archive/2004/05/12/130637.aspx
\par > >
\par > > Also, if you do need to pass XML string content, you can consider the
\par > > following means:
\par > >
\par > > ** manually perform htmlencoding on it so that all the xml content are in
\par > > escaped format
\par > >
\par > > ** use a CDATA section to wrapper the xmlstring.
\par > >
\par > > Here is a forum thread discussing on this problem too:
\par > >
\par > > #Passing an XML string as part of an XML Web Service
\par > > http://forums.asp.net/p/1064300/1631786.aspx#1631786
\par > >
\par > > Sincerely,
\par > >
\par > > Steven Cheng
\par > >
\par > > Microsoft MSDN Online Support Lead
\par > >
\par > >
\par > >
\par > > ==================================================
\par > >
\par > > Get notification to my posts through email? Please refer to
\par > > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
\par > > ications.
\par > >
\par > >
\par > >
\par > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
\par > > where an initial response from the community or a Microsoft Support
\par > > Engineer within 1 business day is acceptable. Please note that each follow
\par > > up response may take approximately 2 business days as the support
\par > > professional working with you may need further investigation to reach the
\par > > most efficient resolution. The offering is not appropriate for situations
\par > > that require urgent, real-time or phone-based interactions or complex
\par > > project analysis and dump analysis issues. Issues of this nature are best
\par > > handled working with a dedicated Microsoft Support Engineer by contacting
\par > > Microsoft Customer Support Services (CSS) at
\par > > http://msdn.microsoft.com/subscriptions/support/default.aspx.
\par > >
\par > > ==================================================
\par > > \tab
\par > >
\par > > This posting is provided "AS IS" with no warranties, and confers no rights.
\par > >
\par > >
\par > >
\par > >
\par > >
\par > >
\par > >
\par > > -------------------
\par > > From: =?Utf-8?B?QmlsbEF0V29yaw==?= <BillAtWork@xxxxxxxxxxxxx>
\par > > Subject: XML as a WebService parameter
\par > > Date: Thu, 8 Nov 2007 05:43:01 -0800
\par > >
\par > > Hi,
\par > > We recently converted a 1.1 project to 2.0 and this included a webservice
\par > > which accepted XML for one of the parameters. Since converting to 2.0 I am
\par > > getting the following message:
\par > > ---
\par > > A potentially dangerous Request.Form value was detected from the client
\par > > (myparam="<root><blah....").
\par > > ---
\par > >
\par > > The fix used for ASPX pages is to include the @Page directive with
\par > > validateRequest="false" however this does not work for ASMX pages ("The
\par > > directive 'Page' is unknown").
\par > >
\par > > Does anyone know of a way to turn this off for webservices?
\par > >
\par > > Thanks!
\par > >
\par > >
\par \pard
\par
\par }
- References:
- RE: XML as a WebService parameter
- From: Steven Cheng[MSFT]
- RE: XML as a WebService parameter
- From: BillAtWork
- RE: XML as a WebService parameter
- From: BillAtWork
- RE: XML as a WebService parameter
- Prev by Date: Re: Client Information
- Next by Date: RE: Efficient Asynchronous Call to Webservice
- Previous by thread: RE: XML as a WebService parameter
- Next by thread: Webservice call hangs
- Index(es):
Relevant Pages
|
