Kentico vs ValidateRequest

It seems Kentico are insisting on not encoding html sent to the server from the fckEditor. Instead, Kentico advises to turn ValidateRequest off.

That’s pretty fckEd. In this post, Kentico assure us they take security seriously;

we do a lot of investigating on this issue and fix every potentially dangerous part of the system during development stage as well as later during testing stage”

It would seem to me that encoding html from the fckEditor, in order to allow ValidateRequest not to break, would be high on their list. Apparently not.

The issue I have is, not all of the website in question is the work of kentico. In fact, the bulk of the solution is custom built, while using Kentico to leverage it’s content management. Obviously then, it would be unwise to turn off ValidateRequest for the whole site.

So enough ranting about Kentico, here’s the solution. Short of hacking the entire Kentico site to htmlencode all instances of the fckEditor, we can localise turning off ValidateRequest just to Kentico pages via directory-level web.configs and keep ValidateRequest = true at the root web.config.

Add this section to Directory level web.configs for all things kentico (ie. CMSAdminControls, CMSDesk, CMSFormControls, CMSMasterPages, CMSModules, CMSPages, CMSSiteManager)

<system.web>
 <pages ValidateRequest="false" />
</system.web>

Kentico have advised they will look at fixing this issue in later releases. However, I wouldn’t hold your breath, they’ve been saying this since 2006.

So, in short, Kentico are fckEd.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s