Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 915382 - Last Review: December 3, 2007 - Revision: 1.2
An ASP.NET application that is built on the .NET Framework 1.1 with Service Pack 1 may convert some symbols incorrectly
Consider the following scenario. You use a Microsoft ASP.NET application that is built on the Microsoft .NET Framework 1.1 with Service Pack 1 (SP1). In this ASP.NET application, you use non-Unicode encoding and the
EnableBestFitResponseEncoding property. In this scenario, the ASP.NET application may convert some symbols incorrectly.
For example, when a symbol is not present in the single-byte code page, the encoder tries to match the symbol to the best possible graphical representation in the single-byte code page. This method is called best fit substitution. When the best fit mode is turned off, a symbol that is not present in the single-byte code page is replaced with a question mark (?). When the best fit mode is turned on, a harmless symbol may be converted into a potentially dangerous symbol. For example, a harmless symbol may be converted into the greater than sign (>) or into the less than sign (<).
This problem occurs when the
EnableBestFitResponseEncoding property is set to true and you use non-Unicode encoding. This problem may let an attacker easily bypass the content restrictions and possibly expose the application to cross-site scripting and script injection attacks.
If the Web.Config file is similar to the following code example, this problem may occur.
<configuration>
<system.web>
<globalization enableBestFitResponseEncoding="true" requestEncoding="windows-1251" responseEncoding="windows-1251" />
</system.web>
</configuration>
To resolve this problem, set the
EnableBestFitResponseEncoding property to false in the ASP.NET application. Therefore, the best fit mode is turned off. To set the
EnableBestFitResponseEncoding property to false, use the following code example.
<configuration>
<system.web>
<globalization enableBestFitResponseEncoding="false" requestEncoding="windows-1251" responseEncoding="windows-1251" />
</system.web>
</configuration>
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
When the
EnableBestFitResponseEncoding property is set to false in an ASP.NET application that is built on the .NET Framework 1.1 with SP1, an encoding object that is obtained from the
Response.ContentEncoding property has limited capabilities. Additionally, you should not call the
GetDecoder method for the object. We recommend that you use UTF-8 encoding to avoid this limitation. This limitation does not apply to an ASP.NET application that is built on the Microsoft .NET Framework 2.0.
APPLIES TO
- Microsoft .NET Framework 1.1 Service Pack 1
| kbtshoot kbbug kbprogramming kbprb kbinfo KB915382 |
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate