A potentially dangerous Request.Form value was detected from the client

前端 未结 30 2214
刺人心
刺人心 2020-11-21 05:24

Every time a user posts something containing < or > in a page in my web application, I get this exception thrown.

I don\'t want to go

相关标签:
30条回答
  • 2020-11-21 05:53

    There's a different solution to this error if you're using ASP.NET MVC:

    • ASP.NET MVC – pages validateRequest=false doesn’t work?
    • Why is ValidateInput(False) not working?
    • ASP.NET MVC RC1, VALIDATEINPUT, A POTENTIAL DANGEROUS REQUEST AND THE PITFALL

    C# sample:

    [HttpPost, ValidateInput(false)]
    public ActionResult Edit(FormCollection collection)
    {
        // ...
    }
    

    Visual Basic sample:

    <AcceptVerbs(HttpVerbs.Post), ValidateInput(False)> _
    Function Edit(ByVal collection As FormCollection) As ActionResult
        ...
    End Function
    
    0 讨论(0)
  • 2020-11-21 05:54

    If you're using framework 4.0 then the entry in the web.config (<pages validateRequest="false" />)

    <configuration>
        <system.web>
            <pages validateRequest="false" />
        </system.web>
    </configuration>
    

    If you're using framework 4.5 then the entry in the web.config (requestValidationMode="2.0")

    <system.web>
        <compilation debug="true" targetFramework="4.5" />
        <httpRuntime targetFramework="4.5" requestValidationMode="2.0"/>
    </system.web>
    

    If you want for only single page then, In you aspx file you should put the first line as this :

    <%@ Page EnableEventValidation="false" %>
    

    if you already have something like <%@ Page so just add the rest => EnableEventValidation="false" %>

    I recommend not to do it.

    0 讨论(0)
  • 2020-11-21 05:55

    You could also use JavaScript's escape(string) function to replace the special characters. Then server side use Server.URLDecode(string) to switch it back.

    This way you don't have to turn off input validation and it will be more clear to other programmers that the string may have HTML content.

    0 讨论(0)
  • 2020-11-21 05:56

    In ASP.NET MVC you need to set requestValidationMode="2.0" and validateRequest="false" in web.config, and apply a ValidateInput attribute to your controller action:

    <httpRuntime requestValidationMode="2.0"/>
    
    <configuration>
        <system.web>
            <pages validateRequest="false" />
        </system.web>
    </configuration>
    

    and

    [Post, ValidateInput(false)]
    public ActionResult Edit(string message) {
        ...
    }
    
    0 讨论(0)
  • 2020-11-21 05:56

    It seems no one has mentioned the below yet, but it fixes the issue for me. And before anyone says yeah it's Visual Basic... yuck.

    <%@ Page Language="vb" AutoEventWireup="false" CodeBehind="Example.aspx.vb" Inherits="Example.Example" **ValidateRequest="false"** %>
    

    I don't know if there are any downsides, but for me this worked amazing.

    0 讨论(0)
  • 2020-11-21 06:00

    Disable the page validation if you really need the special characters like, >, , <, etc. Then ensure that when the user input is displayed, the data is HTML-encoded.

    There is a security vulnerability with the page validation, so it can be bypassed. Also the page validation shouldn't be solely relied on.

    See: http://web.archive.org/web/20080913071637/http://www.procheckup.com:80/PDFs/bypassing-dot-NET-ValidateRequest.pdf

    0 讨论(0)
提交回复
热议问题