HTML or HTML-like text entered into TextBox, Multiline TextBox, or AutoCompleteTextBox components will cause an exception that ends the process (does not go to exception trigger).

book

Article ID: 158493

calendar_today

Updated On:

Products

Workflow Solution ServiceDesk

Issue/Introduction

When using a TextBox, Multiline TextBox, or AutoCompleteTextBox component (it is possible that other similar components are also affected) on a Form, entering HTML or HTML-like text into the text box then continuing off the form will cause an exception that ends the Workflow. When this issue occurs, Workflow does not transfer control to an exception trigger component after the exception occurs.

This was initially reported with incomplete HTML (note the lack of close for the <a> tag.):

<a title="test"

However, this affects other text involving less than (<) or greater than (>) symbols, generally in the HTML or similar constructs. Another recent reported example is simple:

<test>

Application Error page is shown to the Portal user.

In versions of ServiceDesk/Workflow prior to 7.5 SP1, no errors are generated in the logs.
Starting with ServiceDesk Workflow 7.5 SP1, the following error is saved to log of the project:

Error:
Log Level :Error
Log Category :System.Web.HttpApplication
Message : 
System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (l1b="<a title="test"").
   at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   at System.Web.HttpRequest.get_Form()
   at System.Web.HttpRequest.get_HasForm()
   at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
   at System.Web.UI.Page.DeterminePostBackMode()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.form_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Cause

HTTP request validation is a standard operating procedure for ASP.NET applications.

Environment

Workflow 7.x and 8.x
ServiceDesk 7.x and 8.x

Resolution

This has been reported to Symantec Engineering and it being reviewd for improvement in the future version of Workflow.

NOTE: The workaround for this issue will open security holes for the project. IIS page validation is important for the security of your system. It is recommended that you do not use problematic text in the forms. If you must use HTML tags or similar text on your forms, you may use the steps below to disable page validation.

To disable HTTP Request validation, the project's web.config file needs to be modified.

1. Navigate to the Workflow Project directory where the form is being executed (%\Program Files\Symantec\Workflow\WorkflowDeploy\Release\[ProjectName])

2. Open the web.config file.

3. Add the following XML to the body of the file inside <configuration> and <system.web>:

<pages validateRequest="false" />

In case of Workflow or ServiceDesk 7.6 or newer tha are working with .NET 4.0, additional modification is needed to force the validation to work in .NET 2.0 mode that allows this way of disabling it (httpRuntime line probably already exists. If that is the case, just add the requestValidationMode="2.0" part into the existing line):

<httpRuntime requestValidationMode="2.0"/>

After this is done, IIS will no longer validate text entered into the TextBox components.