How to display a custom error page when Request Validation Exceptions are thrown?
Asked Answered
C

4

14

We've configured our custom error pages as below for exceptions thrown by ASP.NET:

<customErrors mode="On" redirectMode="ResponseRewrite">
  <error statusCode="400" redirect="~/400.aspx"/>
  <error statusCode="404" redirect="~/404.aspx"/>
  <error statusCode="500" redirect="~/500.aspx"/>
</customErrors>

Setting redirectMode="ResponseRewrite" is important as it ensures the URL does not change (I believe ASP.NET performs a Server.Transfer instead of Response.Redirect).

Unfortunately this does not work for Request Validation Errors. For example, with custom errors enabled if I navigate to /some/page/<script> ASP.NET's request validation kicks in and a HttpException is thrown. However instead of displaying my custom error page I get the following message:

Server Error in '/' Application.

Runtime Error

Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.

Why is it that ASP.NET can not display my custom error page in this scenario? There is no code in the error page, just HTML so I know that the error page itself is not throwing any exceptions.

Also, if I catch the error myself in Application_Error and issue a Server.Transfer it works fine so I'm curious what ASP.NET is doing under the covers.

If we are to handle this ourselves, is there a better solution than this?

protected void Application_Error(object sender, EventArgs e)
{
    var ex = Server.GetLastError() as HttpException;
    if (ex != null 
        && ex.Message.StartsWith("A potentially dangerous Request.Path value was detected from the client")
        && HttpContext.Current.IsCustomErrorEnabled)
    {
        Server.Transfer("400.aspx");
    }
}
Carlton answered 11/1, 2014 at 22:2 Comment(2)
are you sure that the validation error throws a 400,404 or 500 error? maybe some other error code not handled by your configCaligula
Have you been able to figure this one out?Ringe
S
2

To be sure that you not omit any error codes that could occur in you webapp you can add default error page:

<customErrors mode="On" defaultRedirect="Error.aspx" />

And if you want to catch only RequestValidationErrors than you can handle it in your global.asax file:

 void Application_Error(object sender, EventArgs e)
 {
    Exception ex = Server.GetLastError();
    if (ex is HttpRequestValidationException)
    {
        Server.ClearError();
        Response.Redirect("RequestValidationError.aspx", false);
    }
 }
Soul answered 1/5, 2014 at 20:42 Comment(2)
It handles a generic HttpException, not a HttpRequestValidationException, and thus this won't work...Huan
You need to use ex.GetBaseException() to get the HttpRequestValidationExceptionInclusive
T
2

Place existingResponse="Replace" and subStatusCode="-1" in the httpErrors section of your web.config.

The page now comes up as 400 error and will display your error page.

In your application
enter image description here

In your web.config enter image description here

No need to use customErrors section

enter image description here
* #8 is a page where I generate a 500 error on purpose.

Thereabouts answered 18/8, 2016 at 18:14 Comment(0)
C
0

An issue with using the customErrors settings in a config file is that the redirection generated can cause a redirection HTTP status code (300 series) to be returned to the client/browser when you really wanted to send a server error HTTP status code (500 series) or a client error HTTP status code (400 series).

To examine the HTTP status code returned by your website you can use Chrome's "More tools > Developer tools" display with the "Network" tab selected. Then you'll be able to see the HTTP status code returned by your web server back to the client/browser. If an invalid email address login was entered, a client error status should be returned (HTTP status 400 series) and not a redirection status code (300 series).

The "Runtime time" error listed with your question may have been caused by an unhandled validation condition which generated a server error. Such errors require further attention, but should return a server error code (500 series) in the HTTP response.

Web server errors are handled at two levels. One level is in the page content display, the other is in the returned HTTP status codes. Ideally, these will be consistent with one another.

Class answered 2/2, 2016 at 21:18 Comment(0)
P
0
 void Application_Error(object sender, EventArgs e) {
    Exception Ex = Server.GetLastError;
    Logger.AddNewLog(Logger.LogType.ErrorLog, sender.ToString, "Error", (Ex.Message 
                    + (Environment.NewLine + Ex.StackTrace)));
    Server.ClearError();
    Response.Redirect("/Error");
}
Placenta answered 5/4, 2016 at 4:42 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.