Unable to pass '<' in URL as parameter

487 views Asked by At

Why am I unable to pass '<' character as a parameter in the URL? If I do:

http://localhost:9566/?myVar=2 that is ok

But I cannot do:

http://localhost:9566/?myVar=<foo> Why does this give me an error?

When I URL-encode <foo> I get %3Cfoo%3E.

And when I do http://localhost:9566/?myVar=%3Cfoo%3E, I still get the same error:

enter image description here

1

There are 1 answers

0
Abe Miessler On BEST ANSWER

This is by design. The characters you are trying to pass could potentially be used in a Cross Site Scripting (XSS) attack.

Here are a few links to get you started on understanding what XSS is:

While you can disable this type of validation I would not recommend it. Do you really need to pass a tag in a query string parameter?