This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unexpected error when user has < or > in a question answer

Jump to solution
TeriStevenson
By
Level 9

A user contacted me last week because she was trying to save answers on the unanswered questions tab of a request and she was getting an Unexpected Error.  I impersonated the user and didn't have any issues, but upon troubleshooting the issue with her I noticed that she had copied an email address from outlook and was pasting it as part of the answer.  The value contained <JohnDoe@company.com>  I had her remove the <> from the answer and she was able to save.

The question was a multi-line text with no conditions.  I was also able to reproduce the issue with a single line text.

Is this as designed that App Portal treats the <> as part of an html tag and thinks it's incomplete so it throws the error?

‎Oct 07, 2019 02:49 PM

0 Kudos
(1) Solution

Jump to solution
CharlesW
By Level 12 Flexeran
Level 12 Flexeran
It's actually IIS which is rejecting the <> as accepting these characters would allow a potential java script attack.

Technically speaking, App Portal should likely escape dangerous characters, rather than throwing an exception, but unfortunately it does not do so at this time.. It is possible to tell IIS to not validate the input, but doing so opens you up to a potential attack. The following article will give you more information on the subject, if you are interested:

https://docs.microsoft.com/en-us/aspnet/whitepapers/request-validation

View solution in original post

‎Oct 08, 2019 07:32 AM

0 Kudos
(2) Replies

Jump to solution
CharlesW
By Level 12 Flexeran
Level 12 Flexeran
It's actually IIS which is rejecting the <> as accepting these characters would allow a potential java script attack.

Technically speaking, App Portal should likely escape dangerous characters, rather than throwing an exception, but unfortunately it does not do so at this time.. It is possible to tell IIS to not validate the input, but doing so opens you up to a potential attack. The following article will give you more information on the subject, if you are interested:

https://docs.microsoft.com/en-us/aspnet/whitepapers/request-validation

‎Oct 08, 2019 07:32 AM

0 Kudos
Top Kudoed Authors
View all