A potentially dangerous Request.Form value was detected from the client

前端 未结 30 2213
刺人心
刺人心 2020-11-21 05:24

Every time a user posts something containing < or > in a page in my web application, I get this exception thrown.

I don\'t want to go

相关标签:
30条回答
  • 2020-11-21 05:34

    In ASP.NET MVC (starting in version 3), you can add the AllowHtml attribute to a property on your model.

    It allows a request to include HTML markup during model binding by skipping request validation for the property.

    [AllowHtml]
    public string Description { get; set; }
    
    0 讨论(0)
  • 2020-11-21 05:34

    Another solution is:

    protected void Application_Start()
    {
        ...
        RequestValidator.Current = new MyRequestValidator();
    }
    
    public class MyRequestValidator: RequestValidator
    {
        protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
        {
            bool result = base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
    
            if (!result)
            {
                // Write your validation here
                if (requestValidationSource == RequestValidationSource.Form ||
                    requestValidationSource == RequestValidationSource.QueryString)
    
                    return true; // Suppress error message
            }
            return result;
        }
    }
    
    0 讨论(0)
  • 2020-11-21 05:34

    I guess you could do it in a module; but that leaves open some questions; what if you want to save the input to a database? Suddenly because you're saving encoded data to the database you end up trusting input from it which is probably a bad idea. Ideally you store raw unencoded data in the database and the encode every time.

    Disabling the protection on a per page level and then encoding each time is a better option.

    Rather than using Server.HtmlEncode you should look at the newer, more complete Anti-XSS library from the Microsoft ACE team.

    0 讨论(0)
  • 2020-11-21 05:35

    If you don't want to disable ValidateRequest you need to implement a JavaScript function in order to avoid the exception. It is not the best option, but it works.

    function AlphanumericValidation(evt)
    {
        var charCode = (evt.charCode) ? evt.charCode : ((evt.keyCode) ? evt.keyCode :
            ((evt.which) ? evt.which : 0));
    
        // User type Enter key
        if (charCode == 13)
        {
            // Do something, set controls focus or do anything
            return false;
        }
    
        // User can not type non alphanumeric characters
        if ( (charCode <  48)                     ||
             (charCode > 122)                     ||
             ((charCode > 57) && (charCode < 65)) ||
             ((charCode > 90) && (charCode < 97))
           )
        {
            // Show a message or do something
            return false;
        }
    }
    

    Then in code behind, on the PageLoad event, add the attribute to your control with the next code:

    Me.TextBox1.Attributes.Add("OnKeyPress", "return AlphanumericValidation(event);")
    
    0 讨论(0)
  • 2020-11-21 05:35

    I was getting this error too.

    In my case, a user entered an accented character á in a Role Name (regarding the ASP.NET membership provider).

    I pass the role name to a method to grant Users to that role and the $.ajax post request was failing miserably...

    I did this to solve the problem:

    Instead of

    data: { roleName: '@Model.RoleName', users: users }
    

    Do this

    data: { roleName: '@Html.Raw(@Model.RoleName)', users: users }
    

    @Html.Raw did the trick.

    I was getting the Role name as HTML value roleName="Cadastro b&#225;s". This value with HTML entity &#225; was being blocked by ASP.NET MVC. Now I get the roleName parameter value the way it should be: roleName="Cadastro Básico" and ASP.NET MVC engine won't block the request anymore.

    0 讨论(0)
  • 2020-11-21 05:36

    You can use something like:

    var nvc = Request.Unvalidated().Form;
    

    Later, nvc["yourKey"] should work.

    0 讨论(0)
提交回复
热议问题