An ASP.NET application that is built on the .NET Framework 1.1 with Service Pack 1 may convert some symbols incorrectly (915382)


The information in this article applies to:

  • Microsoft .NET Framework 1.1 Service Pack 1 (SP1)

SYMPTOMS

Consider the following scenario. You use a Microsoft ASP.NET application that is built on the Microsoft .NET Framework 1.1 with Service Pack 1 (SP1). In this ASP.NET application, you use non-Unicode encoding and the EnableBestFitResponseEncoding property. In this scenario, the ASP.NET application may convert some symbols incorrectly.

For example, when a symbol is not present in the single-byte code page, the encoder tries to match the symbol to the best possible graphical representation in the single-byte code page. This method is called best fit substitution. When the best fit mode is turned off, a symbol that is not present in the single-byte code page is replaced with a question mark (?). When the best fit mode is turned on, a harmless symbol may be converted into a potentially dangerous symbol. For example, a harmless symbol may be converted into the greater than sign (>) or into the less than sign (<).

CAUSE

This problem occurs when the EnableBestFitResponseEncoding property is set to true and you use non-Unicode encoding. This problem may let an attacker easily bypass the content restrictions and possibly expose the application to cross-site scripting and script injection attacks.

If the Web.Config file is similar to the following code example, this problem may occur.
<configuration>
	<system.web>
        	<globalization enableBestFitResponseEncoding="true" requestEncoding="windows-1251" responseEncoding="windows-1251" />
	</system.web>
</configuration>

RESOLUTION

To resolve this problem, set the EnableBestFitResponseEncoding property to false in the ASP.NET application. Therefore, the best fit mode is turned off. To set the EnableBestFitResponseEncoding property to false, use the following code example.
<configuration>
	<system.web>
        	<globalization enableBestFitResponseEncoding="false" requestEncoding="windows-1251" responseEncoding="windows-1251" />
	</system.web>
</configuration>

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

When the EnableBestFitResponseEncoding property is set to false in an ASP.NET application that is built on the .NET Framework 1.1 with SP1, an encoding object that is obtained from the Response.ContentEncoding property has limited capabilities. Additionally, you should not call the GetDecoder method for the object. We recommend that you use UTF-8 encoding to avoid this limitation. This limitation does not apply to an ASP.NET application that is built on the Microsoft .NET Framework 2.0.
Modification Type:MajorLast Reviewed:4/6/2006
Keywords:kbtshoot kbBug kbProgramming kbprb kbinfo KB915382 kbAudDeveloper kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.