asp.net-mvc requestValidationMode="2.0" 实际上是做什么的?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6206540/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What does requestValidationMode="2.0" actually do?
提问by Oren A
I'm trying to solve a "A potentially dangerous Request.Form value was detected from the client" problem, and SO answers and Scott Hanselmanrecommend setting
我正在尝试解决“从客户端检测到潜在危险的 Request.Form 值”问题,SO 答案和 Scott Hanselman建议设置
<httpRuntime requestValidationMode="2.0" />
in Web.config (along with adding an attribute to problematic Methods).
I realize this changes the validation mode to ASP.NET 2.0's, but what does that mean?
And also, does this change has any side effects I should be aware of?
在 Web.config 中(以及向有问题的方法添加属性)。
我意识到这会将验证模式更改为 ASP.NET 2.0,但这意味着什么?
而且,这种变化是否有任何我应该注意的副作用?
Thanks.
谢谢。
采纳答案by David d C e Freitas
Check out the description at MSDN's HttpRuntimeSection.RequestValidationMode Property.
查看MSDN 的 HttpRuntimeSection.RequestValidationMode 属性中的描述。
2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.
2.0。仅对页面启用请求验证,而不对所有 HTTP 请求启用。此外,配置文件中的 pages 元素(如果有)或单个页面中的 @Page 指令的请求验证设置用于确定要验证哪些页面请求。
回答by Hector Correa
Take a look at ASP.NET Request Validation>
看看ASP.NET 请求验证>
The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing.
In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.
As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:
ASP.NET 中的请求验证功能针对跨站点脚本 (XSS) 攻击提供了一定级别的默认保护。在 ASP.NET 的早期版本中,默认情况下启用请求验证。但是,它仅适用于 ASP.NET 页面(.aspx 文件及其类文件),并且仅适用于这些页面正在执行时。
在 ASP.NET 4 中,默认情况下为所有请求启用请求验证,因为它在 HTTP 请求的 BeginRequest 阶段之前启用。因此,请求验证适用于对所有 ASP.NET 资源的请求,而不仅仅是 .aspx 页请求。这包括诸如 Web 服务调用和自定义 HTTP 处理程序之类的请求。当自定义 HTTP 模块读取 HTTP 请求的内容时,请求验证也处于活动状态。
因此,对于以前未触发错误的请求,现在可能会发生请求验证错误。要恢复 ASP.NET 2.0 请求验证功能的行为,请在 Web.config 文件中添加以下设置:
<httpRuntime requestValidationMode="2.0" />
However, we recommend that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors.
但是,我们建议您分析任何请求验证错误,以确定现有处理程序、模块或其他自定义代码是否访问了可能成为 XSS 攻击媒介的潜在不安全 HTTP 输入。
