<pages validateRequest=“false” /> and <httpRuntime requestValidationMode=“2.0” /> not working

纵饮孤独 提交于 2020-01-03 05:12:23

问题


I've inherited an MVC asp.net app using framework 4.0.

I'm getting the dreaded "A potentially dangerous Request.Form value was detected from the client" error and all my research leads me to believe that this should fix it:

<system.web>
    <httpRuntime requestValidationMode="2.0" />
    <pages validateRequest="false" />
</system.web>

However, I've added that to my web.config and still get the error. I'm at the end of my rope here, what am I missing?


回答1:


In addition to what you did you also have to decorate your methods with the ValidateInput attribute.

[ValidateInput(false)]
public ActionResult MyActionMethod(string myParameter)
{
    // Method implementation goes here... 
}

There is an alternative though, you can implement your own request validator and bind that in your web.config if you want to handle validation for your entire site. Take a look at this blog post on how to fully implement it.

Basically, create a class that inherits from RequestValidator and then hook it up on the web.config.

<httpRuntime requestValidationType=”Globals.CustomRequestValidation”/>

Hopefully this helps!




回答2:


Take another approach. In the httpRuntime, point to your custom validation class. This way have the complete control over incoming requests as the validator is fired upon each single request, at the beginning of the processing pipeline.

In particular, if you implement your validator to return true, you will unconditionally accept all incoming requests.

http://msdn.microsoft.com/en-us/library/system.web.util.requestvalidator.aspx




回答3:


The simplest way is to remove the characters you want from the validation system.

Here is the requestPathInvalidCharacters attribute from the httpRuntime element with its default value.

<httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,&amp;,:,\" />
<!-- the unescaped characters are: < > * % & : \  -->

Remove the characters you want to authorize and the request will work.



来源:https://stackoverflow.com/questions/12202986/pages-validaterequest-false-and-httpruntime-requestvalidationmode-2-0

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!