html script calling my asp.net code behind page load event, that is my problem
I have below asp.net page:
<%@ Page Language="C#" AutoEventWireup="true" Inherits="search_function" Codebehind="search_function.aspx.cs" %>
And here is asp.net C# code behind:
<code>protected void Page_Load(object sender, EventArgs e)
{
try
{
PerformSearch();
}
catch (Exception ex)
{
Util.SendErrorEmail(ex);
PerformSearch();
}
}
and this js file having ajax call to search_function
` $.ajax({
url: BasePath + 'search_function.aspx',
data: 'action=search&value=' + t.value,
type: 'post',
cache: false,
success: function (html) {
results.stop().show().fadeTo(250, 1);
results.html(html);
spinner.html("");
var addValue = 200;
if ($('#ctl00_cph_searchControl_hidIsIndex').val() == "1") {
addValue = -450;
}
results.css({
"position": "absolute",
"top":"107px"
//"left": $('#search').position().left + addValue + "px"
});
// alert(window.location);
BindResultsHover(); //bind our results hover listener to the new results
}
});`
this working fine but the below html script calling my Page_Load event and getting alert 1.:
<html>
<body>
<form action=http://localhost:51503/search_function.aspx method="POST">
<input type="hidden" name="action" value="search" />
<input type="hidden" name="value" value="1"onfocus="alert`1`"autofocus="" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
I have tried to IsValid at page_load event but still this XSS script calling my page.