An IFRAME injection vulnerability, also Microsoft's application["error" vulnerability

Recently, the school conducted a security grade assessment, I was called to say that I wrote a site there is an IFRAME injection vulnerability, the page is the error page. I then used Netsparker scan my website, I found the error page there is a loophole, I write the site, in order to easily know the current program error, wrote an error page, the code is as follows

if (! IsPostBack)        {            div_error. InnerHtml = application["Error"]. ToString () + "<br/>" + "<a target= ' _top ' href= ' login.aspx ' > Return home </a>";        

Which is written in Global.asax.

          voidApplication_Error (Objectsender, EventArgs e) {        //code to run when an unhandled error occurs//Exception ex = Server.GetLastError (); //Server.ClearError (); //Try//{        //Its.Common.LogBase.WriteException (ex, Request); //}        //Catch {}//finally//{        //    //may cause ASP. NET Ajax UpdatePanel Control exceptions//Response.Redirect ("~/error.aspx"); //}        //code to run when an unhandled error occursException objerr =Server.GetLastError ().        GetBaseException (); stringError ="<br/><br/><span style= ' color:red ' > Occurrence exception page:</span>"+ Request.Url.ToString () +"<br/><br/>"; Error+="<span style= ' color:red ' > Exception information:</span>"+ Objerr.message +"<br/><br/>";        Server.ClearError (); application["Error"] =error; Response.Redirect ("error.aspx"); }

Note: This is written so that if someone malicious IFRAME injects an attack, this

application["Error" will be the embedded content of that IFRAME. If you get an unhealthy thing, be laughed at. Remind everyone. As for the error page. Or output a custom character directly. Do not throw system exception information. This is Microsoft's loophole.

An IFRAME injection vulnerability, also Microsoft's application["error" vulnerability