jQuery 一个有潜在危险的 Request.Form
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4897441/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
A potentially dangerous Request.Form
提问by oshirowanen
Anyone know why I am getting the following error? I have debugging enabled.
任何人都知道为什么我收到以下错误?我启用了调试。
Server Error in '/' Application.
--------------------------------------------------------------------------------
A potentially dangerous Request.Form value was detected from the client (strContent="<p>
test</p>
").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (strContent="<p>
test</p>
").
Source Error:
The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:
1. Add a "Debug=true" directive at the top of the file that generated the error. Example:
<%@ Page Language="C#" Debug="true" %>
or:
2) Add the following section to the configuration file of your application:
<configuration>
<system.web>
<compilation debug="true"/>
</system.web>
</configuration>
Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.
Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.
Stack Trace:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (strContent="<p>
test</p>
").]
System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +8725306
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +111
System.Web.HttpRequest.get_Form() +129
System.Web.HttpRequest.get_HasForm() +8725415
System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +97
System.Web.UI.Page.DeterminePostBackMode() +63
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +242
System.Web.UI.Page.ProcessRequest() +80
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
System.Web.UI.Page.ProcessRequest(HttpContext context) +49
ASP.ajax_create_new_page_aspx.ProcessRequest(HttpContext context) +37
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.3615; ASP.NET Version:2.0.50727.3618
回答by Oded
The post contains HTML elements (the <p>tag, in your case) - this can be indication of a cross site scripting attack, which is why asp.net does not allow it by default.
该帖子包含 HTML 元素(<p>在您的情况下为标签)-这可能表明存在跨站点脚本攻击,这就是 asp.net 默认不允许这样做的原因。
You should either HTML encode before submitting (best practice), or disable the warning and potentially expose yourself to XSS.
您应该在提交之前进行 HTML 编码(最佳实践),或者禁用警告并可能将自己暴露给 XSS。
回答by parisa
In the web.config file, within the tags, insert the httpRuntime element with the attribute requestValidationMode="2.0". Also add the validateRequest="false" attribute in the pages element.
在 web.config 文件的标记内,插入具有属性 requestValidationMode="2.0" 的 httpRuntime 元素。还要在 pages 元素中添加 validateRequest="false" 属性。
<configuration>
<system.web>
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
</configuration>
回答by Shekhar_Pro
It's because you have HTML tags in your POSTrequest. To allow it you need to Set ValidateRequest= falsein your @Pagedirectives. But remember this can expose your site for Cross Site Scripting Attacks.
这是因为您的POST请求中有 HTML 标签。要允许它,您需要ValidateRequest= false在@Page指令中设置。但请记住,这可能会使您的站点遭受跨站点脚本攻击。
回答by ecasper
Place [AllowHtml]attribute in your model.
[AllowHtml]在您的模型中放置属性。
回答by codenesium
Make sure you're changing in the actual Web.config. I was changing it in Web.debug.config and Web.release.config files and it wouldn't work.
确保您在实际的 Web.config 中进行了更改。我在 Web.debug.config 和 Web.release.config 文件中更改它,但它不起作用。
回答by bro mak
I had to go hunting a little within my web.configfile, specifically within the system.webxml section, to find where I could update the <pages>directives... as you noted. As soon as I added the validateReqest = "false"attribute to the pages directive within web.configfile, it made everything whole again.
我不得不在我的web.config文件中搜索一下,特别是在system.webxml 部分,以找到可以更新<pages>指令的位置......正如你所指出的。一旦我将该validateReqest = "false"属性添加到web.config文件中的 pages 指令中,它就会使一切变得完整。
In my particular case, it is NOT on a production server however and this is not 'production' level code either. It's a private local server, with me only as the sole user in the environment so that makes me feel better about updating that setting. As below:
在我的特殊情况下,它不在生产服务器上,但这也不是“生产”级代码。这是一个私有的本地服务器,我只是环境中的唯一用户,这样我就可以更好地更新该设置。如下:
<system.web>
<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false" />
</system.web>
回答by Willy David Jr
If this is an MVC application you can apply this attribute on Controller Actionlevel to ignore input validation:
如果这是一个 MVC 应用程序,您可以在Controller Action级别上应用此属性以忽略输入验证:
[ValidateInput(false)]
[验证输入(假)]
