注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

天涯倦客的博客

祝福你朋友永远快乐!

 
 
 

日志

 
 

requestValidationMode 导致 ValidateRequest=False 失效或者ASP.NET 4.0事件消息: 发生了验证错误;检测到有潜在危险的Request.Form值  

2011-12-28 14:42:36|  分类: asp.net |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing.

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:

XML/XHTML 代码
<httpRuntime requestValidationMode=”2.0″ />

IMPORTANT:

Because this is now in the BeginRequest phase of a HTTP request, pages with validationRequest=”false”  will still get the dreaded message. The only way is to

   1. Set requestValidationMode=”2.0″ in which case the page setting will apply
   2. Ignore requestValidationMode setting and create your own requestvalidator and change your web.config to use the custom validator


Creating your own custom request validation

Here’s the sample code to create your own custom request validation which allows all html tags except script tags

You will need to modify the web.config as well
XML/XHTML 代码
<httpRuntime requestValidationType=”Globals.CustomRequestValidation”/>

NOTE: There is no current way to find out whether the page has validateRequest=false. I’ve submitted a feedback to Microsoft, click here to view the status of the request
C# 代码

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Util;

namespace Globals
{
  
/// <summary>
  
/// Summary description for CustomRequestValidation
  
/// </summary>
  public class CustomRequestValidation : RequestValidator
  {
    
public CustomRequestValidation() { }
    
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
    {
      
//block script tags
      var idx = value.ToLower().IndexOf("<script");
      
if (idx > -1)
      {
        validationFailureIndex
= idx;
        
return false;
      }
      
else
      {
        validationFailureIndex
= 0;
        
return true;
      }
    }
  }
}
原文:http://jefferytay.wordpress.com/2010/04/15/asp-net-4-breaking-changes-1-requestvalidationmode-cause-validaterequestfalse-to-fail/
  评论这张
 
阅读(666)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017