Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden

不羁岁月 提交于 2019-12-21 09:36:08

问题


Can anyone tell me where does following HTTP error message come from:

Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.

We're using dynamically generated URLs and in this specific case the URL contains the characters '<' or '>'. We do URL encode the generated URL (so '%3C' appeary instead of '<') but it doesn't help.

Our setup is ASP.NET MVC / IIS 7.5 / IE8.

It's strange but it looks like the error appears only on some machines. So it could be that the IE internet zone settings are playing a role.


回答1:


You are probably using a third-party plugin, like SiteMinder, that is trying to "protect" your website from XSS attacks by rejecting URLs with HTML encoded in them.

If the error only appears on some machines and not on others, check what plugins are installed on those machines. Remove them until you find the culprit (then reinstall the others). Try configuring that plugin to allow the URLs.

Think about whether you really need the plugins or not. If some servers have them and others don't, maybe you are better off without them.




回答2:


As Konerak says, if you're using SiteMinder then it will return 403 and give you that message to prevent cross-site scripting attacks.

This solution may not be appropriate if you're running an external-facing site, but the simplest way we've found to avoid the problem was to edit the LocalConfig.conf file to switch off the XSS checking.

This is the setting:

CSSChecking="NO"

And the file lives here:

Program Files\netegrity\webagent\bin\IIS\LocalConfig.conf



来源:https://stackoverflow.com/questions/5249130/due-to-the-presence-of-characters-known-to-be-used-in-cross-site-scripting-attac

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!