requestValidationMode 导致 ValidateRequest=False 失效或者ASP.NET 4.0事件消息: 发生了验证错误;检测到有潜在危险的Request.Form值
2011-12-15 13:59
736 查看
[转帖]requestValidationMode 导致 ValidateRequest=False 失效或者ASP.NET 4.0事件消息: 发生了验证错误;检测到有潜在危险的Request.Form值
作者:kwanann 阅读:2748 发表于:2010-09-19 12:46:15The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx
files and their class files) and only when those pages were executing.
In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This
includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.
As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:
XML/XHTML 代码
<!--
Code highlighting produced by Actipro CodeHighlighter (freeware)
http://www.CodeHighlighter.com/
--><httpRuntime
requestValidationMode=”2.0″
/>
IMPORTANT:
Because this is now in the BeginRequest phase of a HTTP request, pages with validationRequest=”false” will still get the dreaded message. The only way is to
1. Set requestValidationMode=”2.0″ in which case the page setting will apply
2. Ignore requestValidationMode setting and create your own requestvalidator and change your web.config to use the custom validator
Creating your own custom request validation
Here’s the sample code to create your own custom request validation which allows all html tags except script tags
You will need to modify the web.config as well
XML/XHTML 代码
<!--
Code highlighting produced by Actipro CodeHighlighter (freeware)
http://www.CodeHighlighter.com/
--><httpRuntime
requestValidationType=”Globals.CustomRequestValidation”/>
NOTE: There is no current way to find out whether the page has validateRequest=false. I’ve submitted a feedback to Microsoft, click here to view the status of the request
C# 代码
<!--
Code highlighting produced by Actipro CodeHighlighter (freeware)
http://www.CodeHighlighter.com/
-->
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Util;
namespace Globals
{
///
<summary>
/// Summary description for CustomRequestValidation
///
</summary>
public
class CustomRequestValidation : RequestValidator
{
public CustomRequestValidation() { }
protected
override
bool IsValidRequestString(HttpContext context,
string value, RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
//block script tags
var idx = value.ToLower().IndexOf("<script");
if (idx
> -1)
{
validationFailureIndex = idx;
return
false;
}
else
{
validationFailureIndex =
0;
return
true;
}
}
}
}
原文:http://jefferytay.wordpress.com/2010/04/15/asp-net-4-breaking-changes-1-requestvalidationmode-cause-validaterequestfalse-to-fail/
相关文章推荐
- requestValidationMode 导致 ValidateRequest=False 失效或者ASP.NET 4.0事件消息: 发生了验证错误;检测到有潜在危险的Request.Form值
- ASP.NET 4.0事件消息: 发生了验证错误;检测到有潜在危险的 Request.Form 值。
- ASP.NET 4.0事件消息: 发生了验证错误;检测到有潜在危险的 Request.Form 值。
- ASP.NET 4.0: 请求验证模式变化导致ValidateRequest=false失效
- ASP.NET 4.0: 请求验证模式变化导致ValidateRequest=false失效
- ASP.NET 4.0: 请求验证模式变化导致ValidateRequest=false失效
- ASP.NET 4.0: 请求验证模式变化导致ValidateRequest=false失效
- ASP.NET 4.0: 请求验证模式变化导致ValidateRequest=false失效
- ASP.NET 4.0: 请求验证模式变化导致ValidateRequest=false失效
- 使用Asp.net MVC 2.0 +.NET 4.0 出现 “从客户端 ... 中检测到有潜在危险的 Request.Form 值”错误的解决办法
- 检测到有潜在危险 请慎用ASP.Net的validateRequest="false"
- ASP.NET 4.0请求验证报错 从客户端...中检测到有潜在危险的 Request.Form 值
- validateRequest="false" 在asp.net 4.0中失效的解决办法
- ASP.NET 4.0 页面 ValidateRequest="false" 失效不起作用
- 解决asp.net中“从客户端中检测到有潜在危险的Request.Form值”的错误
- asp.net错误信息(检测到有潜在危险的 Request.Form)
- 解决asp.net中“从客户端中检测到有潜在危险的Request.Form值”的错误
- ASP.NET 4.0 页面 ValidateRequest="false" 失效不起作用
- asp.net 从客户端中检测到有潜在危险的 Request.Form 值错误解
- 解决asp.net中“从客户端中检测到有潜在危险的Request.Form值”的错误