Creating Custom Error Messages

IIS 6.0

If you develop a custom error-handling application using Internet Server API (ISAPI) or Active Server Pages (ASP), you can configure IIS to use your application or ASP page.


The error status is handed to the application in the URL parameters, and the application must set the HTTP header status. Otherwise, the HTTP response status is "HTTP 1.1 200 OK."

If you map a custom error message to an ASP file, you must use Server.HTMLEncode to encode your output to avoid cross-site scripting vulnerabilities. Malicious users can send false headers that contain characters like < > " ' % ; ) ( & + - to inject script into the response that is compiled by your ASP custom error file. For example, if you use a header to generate a personal greeting, HTML-encode your output as shown the following example:

<%@ LANGUAGE="VBScript" %> 
  Response.CodePage = 1252 
  Response.Write("Hello, " & Server.HTMLEncode(Request.Form("UserName"))); 
  Response.Write("This is why you received an error:"); 

An alternate solution is to add a function to your ASP custom error file that uses the Regular Expression object of Windows Script Host to remove potentially harmful characters from a string that is sent to the function. The following two ASP examples contain such a function. The first example is written in Microsoft Visual Basic ? Scripting Edition (VBScript), and the second example is written in Microsoft JScript ?:

<%@ LANGUAGE="VBScript" %> 
  Response.CodePage = 1252 
  Response.Write("Hello, " & RemoveBadCharacters(Request.Form("UserName"))) 
  Response.Write("<BR>This is why you received an error:") 

  Function RemoveBadCharacters(strTemp) 
    Dim regEx 
    Set regEx = New RegExp 
    regEx.Pattern = "[^\s\w]" 
    regEx.Global = True 
    RemoveBadCharacters = regEx.Replace(strTemp, "") 
  End Function 
<%@ LANGUAGE="JScript" %> 
  Response.CodePage = 1252; 
  Response.Write("Hello, " + RemoveBadCharacters(Request.Form("UserName"))); 
  Response.Write("<BR>This is why you received an error:"); 

  function RemoveBadCharacters(strTemp) {  
    strTemp = strTemp.replace(/[^\s\w]/g,");  
    return strTemp; 

In both examples above, the code page is specified to ensure proper encoding.

Once you create an ASP error-processing file of your own, you need to enable it through IIS Manager.


If you create a custom error message file and it contains ASP errors, the errors are displayed in the browser along with the error intended for the client.