Tracking Script Exception when adding Google Analytics

May 7, 2007 at 12:13 AM
Using change set 2054, added the Google Analytics script to the Tracking Script Setting and received the following exception:

 
 
Server Error in '/' Application.
A potentially dangerous Request.Form value was detected from the client (ctl00$cphAdmin$txtTrackingScript="<script src="http://...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
 
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$cphAdmin$txtTrackingScript="<script src="http://...").   
 

This is explained in the following article:
http://www.cryer.co.uk/brian/mswinswdev/ms_vbnet_server_error_potentially_dangerous.htm

By adding ValidateRequest="false" to the page directive of admin\pages\settings.aspx allows the tracking script to be saved.

May 7, 2007 at 8:24 PM
I hope your solution won't make it. The .NET Framework does give this error for a reason. Something called security :-)
It will expose a potential risk to the web-server, so there must be an other solution.

Your problem seems to occur because the Analytics script tag is be-ing tranmitted back to the server (see Request.Form value ), which is weird for a JavaScript tag.
So try to place the script somewhere else. The official place to put the Javascript is within the head tag. In that case the javascript is outside the Form tags, so it won't be submitted.

A great solution would be that you can set you Google Analytics counter Id within the admin pages, so (if filled) Blogengine.net will automaticly add the appriopiate javascript tag.
But that's a very small feature, so I wouldn't count on in for the initial release.
Coordinator
May 8, 2007 at 6:48 PM
In change set 2173 you are able to specify script tags. As I see it, there is no other way around the security issue by setting ValidateRequest="false".

Tracking scripts needs to be located at the bottom of the page for several reasons.

1. A page view isn't a page view until the page has loaded.
2. If the script hangs, then the entire page would hang.