asp.net-mvc 为什么 ValidateInput(False) 不起作用?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/807662/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why is ValidateInput(False) not working?
提问by Dekryptid
I am converting an application I created using webforms to the asp.net mvc framework using vb.net. I have a problem with one of my views. I get the yellow screen of death saying "A potentially dangerous Request.Form value was detected from the client" when I submit my form. I am using tinymce as my RTE. I have set on the view itself
我正在将使用 webforms 创建的应用程序转换为使用 vb.net 的 asp.net mvc 框架。我的观点之一有问题。当我提交表单时,我收到黄色的死亡屏幕,提示“从客户端检测到一个潜在危险的 Request.Form 值”。我使用 tinymce 作为我的 RTE。我已经设置了视图本身
ValidateRequest="false"
验证请求=“假”
I know that in MVC it doesn't respect it on the view from what I've read so far. So I put it on the controller action as well. I have tried different setups:
我知道在 MVC 中,从我目前所读到的内容来看,它并不尊重它。所以我也把它放在控制器动作上。我尝试了不同的设置:
<ValidateInput(False), AcceptVerbs(HttpVerbs.Post)> _
...and...
...和...
<AcceptVerbs(HttpVerbs.Post), ValidateInput(False)> _
...and like this as well...
……还有这样的……
<ValidateInput(False)> _
<AcceptVerbs(HttpVerbs.Post)> _
Just to see if it made a difference, yet I still get the yellow screen of death. I only want to set it for this view and the specific action in my controller that my post pertains to. Am I missing something?
只是为了看看它是否有所作为,但我仍然看到死亡的黄色屏幕。我只想为这个视图和我的帖子所涉及的控制器中的特定操作设置它。我错过了什么吗?
采纳答案by Chad Moran
Are you sure that the controller action being posted to is the one you have the attributes on?
您确定发布到的控制器操作是您拥有属性的控制器操作吗?
回答by Jim Geurts
With asp.net 4, you'll need to configure the validation mode in the web.config as well.
使用 asp.net 4,您还需要在 web.config 中配置验证模式。
Set the following as a child of the <system.web>element:
将以下内容设置为<system.web>元素的子 元素:
<system.Web>
...
<httpRuntime requestValidationMode="2.0"/>
Asp.Net 4 sets the requestValidationMode to 4.0by default, which tells the system to perform request validation before the BeginRequst phase of the HTTP request. The validation will occur before the system reaches the action attribute telling it not to validate the request, thus rendering the attribute useless. Setting requestValidationMode="2.0" will revert to the asp.net 2.0 request validation behavior, allowing the ValidateInputattribute to work as expected.
Asp.Net 44.0默认将 requestValidationMode 设置为,它告诉系统在 HTTP 请求的 BeginRequst 阶段之前执行请求验证。验证将在系统到达 action 属性之前发生,告诉它不要验证请求,从而使属性变得无用。设置 requestValidationMode="2.0" 将恢复为 asp.net 2.0 请求验证行为,允许ValidateInput属性按预期工作。
回答by Rahatur
When you are using your own model binders which implement the IModelBinderinterface you will notice that those custom model binders always validate the data, regardless any attributes. You can add few lines of code to make the custom model binders respect the ValidateInputfilter of the actions:
当您使用自己的实现IModelBinder接口的模型绑定器时,您会注意到这些自定义模型绑定器始终验证数据,而不管任何属性。您可以添加几行代码,使自定义模型绑定器遵守操作的ValidateInput过滤器:
// First check if request validation is required
var shouldPerformRequestValidation = controllerContext.Controller.ValidateRequest && bindingContext.ModelMetadata.RequestValidationEnabled;
// Get value
var valueProviderResult = bindingContext.GetValueFromValueProvider(shouldPerformRequestValidation);
if (valueProviderResult != null)
{
var theValue = valueProviderResult.AttemptedValue;
// etc...
}
This is explained very nicely by Martijn Boland here: http://blogs.taiga.nl/martijn/2011/09/29/custom-model-binders-and-request-validation/
Martijn Boland 在这里很好地解释了这一点:http: //blogs.taiga.nl/martijn/2011/09/29/custom-model-binders-and-request-validation/
回答by Chitta
You can try accessing the field like HttpContext.Request.Unvalidated.Form["FieldName"]
您可以尝试访问该字段,如 HttpContext.Request.Unvalidated.Form["FieldName"]
回答by Frank van Eykelen
Please note that these suggestions will not fix the problems caused by a bug that occurs when you have to use [ValidateInput(false)] in combination with a FormCollection.
请注意,这些建议不会解决由必须将 [ValidateInput(false)] 与 FormCollection 结合使用时出现的错误引起的问题。
See: ASP.NET MVC 3 ValidateRequest(false) not working with FormCollection
请参阅:ASP.NET MVC 3 ValidateRequest(false) 不适用于 FormCollection
回答by Tarek Ayna
If you use an input model and use an AllowHtml on the property you want, you will be unblocked.
如果您使用输入模型并在您想要的属性上使用 AllowHtml,您将被解锁。
public class InputModel
{
[AllowHtml]
public string HtmlInput { get; set; }
}
...
[ValidateInput(false)]
public async Task<ActionResult> ControllerMethod(InputModel model)
{
}
回答by Vishnu Vikraman
Add the following line of code:
添加以下代码行:
GlobalFilters.Filters.Add(new ValidateInputAttribute(false));
to the Application_Start() method.
到 Application_Start() 方法。
