IIS7.5 Server.ClearError() does not work

Question

I'm trying to fix a XSS vulnerability, i surrounded my code with a try catch block to handle a HttpRequestValidationException.

I cannot share the whole code due to privacy reasons. The following code is from a function being invoked in the Page_Load() method of an ASP.NET page.

Here's my catch block.

    // A long try block was here ...
    catch (HttpRequestValidationException)
    {
        // ASP.NET, let me handle this one.
        Server.ClearError();

        Response.Write(Messages.ParameterValidationError);
    }

This works as expected on localhost, but when i publish the code on IIS, another HttpRequestValidationException is thrown from a temporary asp.net class (See below).

Path to the wild class : '...\Temporary ASP.NET Files\<app_name>\5d4b8059\5739b33c\App_Web_n1jnrwmr.0.cs'

This problem also occurs on localhost when i don't use Server.ClearError().

I need to show an user-friendly error message instead of that irritating exception page.

Any help is appreciated, thank you!

Answer 1

Why aren't you just using the standard ASP.NET error handling approach of custom errors in the web config and defining a custom error page? If you want to log the exception in your global.asax add the method Application_Error which will be called on an unhandled exception (see code example below).

If you don't call "Server.ClearError()" then ASP.NET will use the error page defined in custom errors and automatically redirect your user there.

protected void Application_Error(object sender, EventArgs args)
{
    var exception = this.Server.GetLastError();
    Logger.Log(exception);
}

<system.web>
      <customErrors mode="Off" defaultRedirect="~/error/notification">
        <!-- Required for HandleErrorFilter -->
        <error statusCode="404" redirect="~/error/notfound" />
      </customErrors>