C# 从客户端检测到潜在危险的 Request.Form 值
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9130186/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
A potentially dangerous Request.Form value was detected from the client
提问by user929153
I have this issue. I have tried everything. ValidateRequest="false".. and decoding and encoding html.. etc. etc..
我有这个问题。我已经尝试了一切。ValidateRequest="false".. 和解码和编码 html.. 等等等等..
What I need is a popup box (so im using ModalPopupExtender) to present to a user where people can type in xml settings and click ok/cancel button to close the popup and save.
我需要的是一个弹出框(所以我使用 ModalPopupExtender)来呈现给用户,人们可以在其中输入 xml 设置,然后单击确定/取消按钮关闭弹出窗口并保存。
However i keep on getting this error "A potentially dangerous Request.Form value was detected from the client"..
但是我不断收到此错误“从客户端检测到潜在危险的 Request.Form 值”..
Here is my test code below (quick example of my scenario and error)..
下面是我的测试代码(我的场景和错误的快速示例)。
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication1.WebForm1"
ValidateRequest="false" %>
<%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<asp:ScriptManager ID="ScriptManager1" runat="server">
</asp:ScriptManager>
<div>
<asp:Panel ID="Popup" runat="server" Width="800px" Style="display: none;">
<asp:LinkButton ID="Display" runat="server" Style="display: none;" OnClick="Display_Click" />
<cc1:ModalPopupExtender ID="ModalPopupExtender" runat="server" TargetControlID="Display"
PopupControlID="Popup" DropShadow="false" Y="10" />
<div id="Item">
<div class="Item">
<table width="100%">
<tr>
<td>
<textarea id="txtAreaValue" cols="35" rows="6" style="resize: none;" runat="server" />
</td>
</tr>
<tr>
<td>
<asp:Button ID="btnOk" Text="Ok" SkinID="default" Width="50px" runat="server" />
<asp:Button ID="btnCancel" Text="Cancel" SkinID="default" Width="50px" OnClick="BtnCancel_Click"
runat="server" />
</td>
</tr>
</table>
</div>
</div>
</asp:Panel>
</div>
</form>
</body>
</html>
Code Behind:
背后的代码:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace WebApplication1
{
public partial class WebForm1 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
ModalPopupExtender.Show();
string str = "<?xml version=\"1.0\" encoding=\"utf-8\"?><XmlConfig xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"> <XmlConfig Type=\"TEST\" DefiningXpath=\"/PERSON/NAME\"><Index Name=\"Name\" XPath=\"/PERSON/NAME/VALUE\" Type=\"String\" /><Index Name=\"Id\" XPath=\"/PERSON/NAME/ID\" Type=\"String\" /> </XmlConfig></XmlConfig>";
txtAreaValue.InnerText = str;
}
protected void Display_Click(object sender, EventArgs e)
{
//Shows the Item detail Edit box
ModalPopupExtender.Show();
}
protected void BtnCancel_Click(object sender, EventArgs e)
{
ModalPopupExtender.Hide();
}
}
}
To run the code.. Add ref to AjaxControltoolkit.dll and then run and you will see the textarea being populated with xml. Click on the cancel button and this causes the error. Please can anyone help me?
运行代码.. 将 ref 添加到 AjaxControltoolkit.dll 然后运行,您将看到 textarea 填充了 xml。单击取消按钮,这会导致错误。请任何人都可以帮助我吗?
采纳答案by Jon Hanna
Use
用
<httpRuntime requestValidationMode="2.0" />
in your web.config (keeping any attributes you already have on that element, if it's already there). ASP.NET4.0 ignores ValidateRequestotherwise.
在您的 web.config 中(保留您在该元素上已有的任何属性,如果它已经存在)。ValidateRequest否则ASP.NET4.0 会忽略。
And, of course, do make sure that you take necessary measures to protect against genuinely dangerous requests, now that it's not being done for you.
而且,当然,请确保您采取必要措施来防止真正危险的请求,因为这不是为您完成的。
Edit: A great way of doing this is to create your own class derived from RequestValidator, and using the 4.0 behaviour, but with that as the class that does the checking.
编辑:这样做的一个好方法是创建您自己的类,派生自RequestValidator,并使用 4.0 行为,但将其作为进行检查的类。
回答by KMX
Well, people are talking about Asp.net 4.0 only... I guess we need to address other versions too. Today, I had the same problem when I replaced my AjaxToolkit editor with TinyMCE and with the postback I found the same issue.
好吧,人们只是在谈论 Asp.net 4.0……我想我们也需要解决其他版本的问题。今天,当我用 TinyMCE 替换我的 AjaxToolkit 编辑器时遇到了同样的问题,并且我发现了同样的问题。
"A potentially dangerous Request.Form value was detected from the client"..
“从客户端检测到潜在危险的 Request.Form 值”..
So I used this line inside my webconfig and it worked for me.
所以我在我的 webconfig 中使用了这一行,它对我有用。
<system.web>
<pages validateRequest="false" />
</system.web>
It should work across Asp.net 2.0 to 3.5.
它应该适用于 Asp.net 2.0 到 3.5。
UPDATE:Even works upto .net 4.5
更新:甚至适用于 .net 4.5
UPDATE:You can also try to validate the request on page level rather whole website. Just wanted to let the readers to choose the best way. Thanks DVD for pointing this out.
更新:您还可以尝试在页面级别而不是整个网站上验证请求。只是想让读者选择最好的方式。感谢 DVD 指出这一点。
回答by Jayesh Sorathia
Here are possible solution which may help you. Make server side configuration setting for this. If you want to allow HTML element as input from selected pages in your project than you set this page attribute.
以下是可能对您有所帮助的可能解决方案。为此进行服务器端配置设置。如果要允许 HTML 元素作为项目中选定页面的输入,请设置此页面属性。
<%@ Page ValidateRequest="false" %>
This ValidateRequest="false" on each page. If you want in all pages in you project than make changes in Web.Config file. Add this tag In section.
每个页面上的这个 ValidateRequest="false" 。如果您想在项目中的所有页面中进行更改,请在 Web.Config 文件中进行更改。在部分添加此标签。
If you are using .Net 4.0 than you have to make one more change in Web.Config file. Add this tag In section.
如果您使用的是 .Net 4.0,则必须在 Web.Config 文件中再做一项更改。在部分添加此标签。
<httpRuntime requestValidationMode="2.0" />
Here are configuration for do not validate request for all pages in .Net 4.0
以下是不验证 .Net 4.0 中所有页面的请求的配置
<configuration>
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
<pages validateRequest="false">
</pages>
</configuration>
Here is full example on this. Click Here...
这是关于此的完整示例。点击这里...
回答by user193887
There are 3 options to remove this error.
有 3 个选项可以消除此错误。
- Set
validateRequest="false"in page directives. - Set
validateRequest="false"in web.config file. - Set
requestValidationMode="2.0"in web.config if you are using DotNet 4.0
validateRequest="false"在页面指令中设置。validateRequest="false"在 web.config 文件中设置。requestValidationMode="2.0"如果您使用的是 DotNet 4.0,请在 web.config 中设置
Checkout this linkfor more info.
查看此链接了解更多信息。
回答by shrikant.Shukla
"A potentially dangerous Request.Form value was detected from the client"..
“从客户端检测到潜在危险的 Request.Form 值”..
1) set httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="<,>,\"in web.configfile
1)httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="<,>,\"在web.config文件中设置
2) set validateRequest="false"in side pages tag in web.config file
2)validateRequest="false"在 web.config 文件的侧页标签中设置
<system.web>
<httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="<,>,\"/>
<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false"/>
<system.web>
回答by Tapan kumar
I faced this same problem while sending some email templates from aspx page to code behind....
我在从 aspx 页面发送一些电子邮件模板到后面的代码时遇到了同样的问题......
So I tried to solve this by adding
所以我试图通过添加来解决这个问题
<httpRuntime requestValidationMode="2.0" />
in my web config under enter code here` but that did not helped me unless I putted
在我的 web 配置下enter code here` 但这对我没有帮助,除非我把
ValidateRequest="false"
attrribute in the page directive of the aspx page.
属性在 aspx 页面的页面指令中。
回答by Mohamed Rasik
I created a table article with columns articleId and article_content. I also used html editor for article_content column. When I tried to save I got the same error. It was resolved by adding [AllowHtml] to the article_content property in the class.
我创建了一个包含 articleId 和 article_content 列的表格文章。我还为 article_content 列使用了 html 编辑器。当我尝试保存时,我遇到了同样的错误。它是通过将 [AllowHtml] 添加到类中的 article_content 属性来解决的。
[AllowHtml]
[Required]
public string article_content { get; set; }
Don't forget to include the namespace using System.Web.Mvc. For more details: http://www.infinetsoft.com/Post/A-potentially-dangerous-Request-Form-value-was-detected-from-the-client/1246
不要忘记使用 System.Web.Mvc 包含命名空间。更多详情:http: //www.infinetsoft.com/Post/A-potentially-dangerous-Request-Form-value-was-detected-from-the-client/1246
回答by Peter Kerr
You can use JavaScript to encode the values before sending to the server, if that suits your needs
如果满足您的需要,您可以在发送到服务器之前使用 JavaScript 对值进行编码
see this answer
看到这个答案
