TeriStevenson
Level 7

Unexpected error when user has < or > in a question answer

Jump to solution

A user contacted me last week because she was trying to save answers on the unanswered questions tab of a request and she was getting an Unexpected Error.  I impersonated the user and didn't have any issues, but upon troubleshooting the issue with her I noticed that she had copied an email address from outlook and was pasting it as part of the answer.  The value contained <JohnDoe@company.com>  I had her remove the <> from the answer and she was able to save.

The question was a multi-line text with no conditions.  I was also able to reproduce the issue with a single line text.

Is this as designed that App Portal treats the <> as part of an html tag and thinks it's incomplete so it throws the error?

0 Kudos
1 Solution
CharlesW
Flexera
Flexera
It's actually IIS which is rejecting the <> as accepting these characters would allow a potential java script attack.

Technically speaking, App Portal should likely escape dangerous characters, rather than throwing an exception, but unfortunately it does not do so at this time.. It is possible to tell IIS to not validate the input, but doing so opens you up to a potential attack. The following article will give you more information on the subject, if you are interested:

https://docs.microsoft.com/en-us/aspnet/whitepapers/request-validation

View solution in original post

0 Kudos
2 Replies
CharlesW
Flexera
Flexera
It's actually IIS which is rejecting the <> as accepting these characters would allow a potential java script attack.

Technically speaking, App Portal should likely escape dangerous characters, rather than throwing an exception, but unfortunately it does not do so at this time.. It is possible to tell IIS to not validate the input, but doing so opens you up to a potential attack. The following article will give you more information on the subject, if you are interested:

https://docs.microsoft.com/en-us/aspnet/whitepapers/request-validation
0 Kudos

Thanks Charles!  

0 Kudos