locked
SR witn <some_text> inside "<" ">" tag - HTTP 500 error RRS feed

  • Question

  • hello, is it a known limitation or just my issue that prevent me of creating SR when text field has text between tags "<  >"?

    


    • Edited by Nikolas Page Thursday, November 17, 2016 10:32 AM
    Thursday, November 17, 2016 10:31 AM

Answers

  • Our dev team has reproduced this issue in SCSM 2016 RTM. Definitely it is a bug in a Microsoft SelfService Portal.

    Try our workaround:

    1) Open MakeForm.cshtml in any text editor. 

    2) Add the following JavaScript inside function pageLoaderActionOnSubmit() 

     $('input[type=text]').val(function () {     return $('<div/>').text(this.value).html(); });$('textarea').val(function () {     return $('<div/>').text(this.value).html(); });

    3) IIS Reset

    Bug explanation:

    This error occurs because by default ASP.NET prevent potentially Cross-Site Scripting security issue. The ASP.NET request validation feature proactively prevents these attacks by not allowing unencoded HTML content to be processed by the server. It is good practice to HTML-encode content that will be stored and HTML-decode when the content will be reverted back to standard HTML. However Microsoft in SelfService Portal doesn't follow own best practices)

    ---------------------------------------------------------------

    Try our HTML5 Analyst Web Console for SCSM

    www.scsmanalystportal.com




    • Marked as answer by Nikolas Page Friday, December 2, 2016 8:06 AM
    • Edited by Michael Sm Tuesday, December 13, 2016 6:41 PM
    Thursday, December 1, 2016 7:51 PM

All replies

  • Hello,

    If you don't have < and > in the text failed, can you submit it successfully? How about having other symbols in the text failed?

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 22, 2016 2:05 AM
  • Hello Yan Li_

    I didn't test any type of symbols but with this "< test >"  it didn't work. When i put  "> test <" this is okey. 

    I'm talking about new html 5 portal with scsm 2012r2 ur7

    Stack Trace: 
    
    
    
    [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (66aa6a5e-d496-487f-b9c3-976c9f35807d="<TEST>").]
       System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +12364126
       System.Web.HttpValueCollection.Get(String name) +90
       SelfServicePortalWebApp.Controllers.HomeController.MakeForm(String BMEId) +850
       lambda_method(Closure , ControllerBase , Object[] ) +127
       System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +270
       System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +39
       System.Web.Mvc.Async.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() +120
       System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +452
       System.Web.Mvc.Async.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) +15
       System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +33
       System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +240
       System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +28
       System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +15
       System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +53
       System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +15
       System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +42
       System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +15
       System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +606
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288
    
     

    SR with regular text registered successfully from portal



    Tuesday, November 22, 2016 8:14 AM
  • Our dev team has reproduced this issue in SCSM 2016 RTM. Definitely it is a bug in a Microsoft SelfService Portal.

    Try our workaround:

    1) Open MakeForm.cshtml in any text editor. 

    2) Add the following JavaScript inside function pageLoaderActionOnSubmit() 

     $('input[type=text]').val(function () {     return $('<div/>').text(this.value).html(); });$('textarea').val(function () {     return $('<div/>').text(this.value).html(); });

    3) IIS Reset

    Bug explanation:

    This error occurs because by default ASP.NET prevent potentially Cross-Site Scripting security issue. The ASP.NET request validation feature proactively prevents these attacks by not allowing unencoded HTML content to be processed by the server. It is good practice to HTML-encode content that will be stored and HTML-decode when the content will be reverted back to standard HTML. However Microsoft in SelfService Portal doesn't follow own best practices)

    ---------------------------------------------------------------

    Try our HTML5 Analyst Web Console for SCSM

    www.scsmanalystportal.com




    • Marked as answer by Nikolas Page Friday, December 2, 2016 8:06 AM
    • Edited by Michael Sm Tuesday, December 13, 2016 6:41 PM
    Thursday, December 1, 2016 7:51 PM
  • The script mentioned above you can insert into RequestDetails.chtml page to prevent the same error in a User Input field.
    Thursday, December 1, 2016 8:41 PM
  • thank you good man, it works!

    But the headache from end user will go to suport team, while they will read description with this  tags: &lt;text&gt; 

    Is the any way to use <> tags inside forkflow for sending pretty look html emails with style inside?

    This is not gonna work &lt;  &gt; 

    Friday, December 2, 2016 8:15 AM
  • In order to show <> instead of &lt; &gt; on the Portal you can use HTML decoding (another little JS). In this case on the SCSM side all <> still would be stored as encoded symbols. That means your analysts will see &lt; &gt; But your end users on the Portal will see correct information.

    This behavior is definitely a bug on Microsoft portal. I would suggest to contact Microsoft Customer Support Service or use third-party portals. Our portal scsmanalystportal.com doesn't have this issue.

     

     

    ---------------------------------------------------------------

    Try our HTML5 Analyst Web Console for SCSM

    www.scsmanalystportal.com



    • Edited by Michael Sm Tuesday, December 13, 2016 6:41 PM
    Monday, December 5, 2016 6:19 AM