发表新帖
发表新帖

A potentially dangerous Request.Form value was detected from the client

前端 未结
关注
30 2122
刺人心
刺人心 2020-11-21 05:24

Every time a user posts something containing < or > in a page in my web application, I get this exception thrown.

I don\'t want to go

相关标签:
30条回答
  • 离开以前
    2020-11-21 05:53

    There's a different solution to this error if you're using ASP.NET MVC:

    • ASP.NET MVC – pages validateRequest=false doesn’t work?
    • Why is ValidateInput(False) not working?
    • ASP.NET MVC RC1, VALIDATEINPUT, A POTENTIAL DANGEROUS REQUEST AND THE PITFALL

    C# sample:

    [HttpPost, ValidateInput(false)]
public ActionResult Edit(FormCollection collection)
{
    // ...
}

    Visual Basic sample:

    <AcceptVerbs(HttpVerbs.Post), ValidateInput(False)> _
Function Edit(ByVal collection As FormCollection) As ActionResult
    ...
End Function
    0 讨论(0)
  • 既然无缘
    2020-11-21 05:54

    If you're using framework 4.0 then the entry in the web.config (<pages validateRequest="false" />)

    <configuration>
    <system.web>
        <pages validateRequest="false" />
    </system.web>
</configuration>

    If you're using framework 4.5 then the entry in the web.config (requestValidationMode="2.0")

    <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" requestValidationMode="2.0"/>
</system.web>

    If you want for only single page then, In you aspx file you should put the first line as this :

    <%@ Page EnableEventValidation="false" %>

    if you already have something like <%@ Page so just add the rest => EnableEventValidation="false" %>

    I recommend not to do it.

    0 讨论(0)
  • 青春惊慌失措
    2020-11-21 05:55

    You could also use JavaScript's escape(string) function to replace the special characters. Then server side use Server.URLDecode(string) to switch it back.

    This way you don't have to turn off input validation and it will be more clear to other programmers that the string may have HTML content.

    0 讨论(0)
  • 不思量自难忘°
    2020-11-21 05:56

    In ASP.NET MVC you need to set requestValidationMode="2.0" and validateRequest="false" in web.config, and apply a ValidateInput attribute to your controller action:

    <httpRuntime requestValidationMode="2.0"/>

<configuration>
    <system.web>
        <pages validateRequest="false" />
    </system.web>
</configuration>

    and

    [Post, ValidateInput(false)]
public ActionResult Edit(string message) {
    ...
}
    0 讨论(0)
  • 情书的邮戳
    2020-11-21 05:56

    It seems no one has mentioned the below yet, but it fixes the issue for me. And before anyone says yeah it's Visual Basic... yuck.

    <%@ Page Language="vb" AutoEventWireup="false" CodeBehind="Example.aspx.vb" Inherits="Example.Example" **ValidateRequest="false"** %>

    I don't know if there are any downsides, but for me this worked amazing.

    0 讨论(0)
  • 青春惊慌失措
    2020-11-21 06:00

    Disable the page validation if you really need the special characters like, >, , <, etc. Then ensure that when the user input is displayed, the data is HTML-encoded.

    There is a security vulnerability with the page validation, so it can be bypassed. Also the page validation shouldn't be solely relied on.

    See: http://web.archive.org/web/20080913071637/http://www.procheckup.com:80/PDFs/bypassing-dot-NET-ValidateRequest.pdf

    0 讨论(0)
 看不清?
提交回复
热议问题