One other note - the situation discussed in the dotnetjunkies.com posting is precisely what CrossSiteScripting.IsDangerousString was supposed to check. The site correctly describes techniques for disabling the check and for encoding elements to pass through the check.
The case the I encountered with Vault is simply a bug in the cross-site scripting check that runs afoul of a perfectly valid BASE64 string.
"Too many errors occured while downloading files...&quo
Moderator: SourceGear
Carl:
You are correct, when this applies to normal web pages and web applications. I hope my posting doesn't convince anyone to eliminate this check within their normal ASP.Net development.
However, for Vault the file upload/download pages exist only to allow HTTP file transfers. There are no controls on the page, or for that matter anything which would require validation. This would be one of those cases where it would be safe to turn off the validator.
You are correct, when this applies to normal web pages and web applications. I hope my posting doesn't convince anyone to eliminate this check within their normal ASP.Net development.
However, for Vault the file upload/download pages exist only to allow HTTP file transfers. There are no controls on the page, or for that matter anything which would require validation. This would be one of those cases where it would be safe to turn off the validator.
Jeff Clausius
SourceGear
SourceGear