从客户端innerhtml中检测到有潜在危险的request.form值

时间:2014-07-21 11:37:29

标签: javascript html asp.net

我有一个表单,用于呈现带有隐藏字段值的表,并在此页面上运行Document Ready。

填充页面加载后面代码的隐藏字段值为:

<div 
    onclick="GetIcon(this)" style="cursor:pointer;" 
    URL=~\App_Images\Gallery\MapIcons\administrativeboundary.png >

    <img 
        src=../App_Images/Gallery/MapIcons/administrativeboundary.png 
        title="administrativeboundary"/>
</div>
#
<div 
    onclick="GetIcon(this)" 
    style="cursor:pointer;" 
    URL=~\App_Images\Gallery\MapIcons\administrativeboundary.png >

    <img src=../App_Images/Gallery/MapIcons/administrativeboundary.png 
        title="administrativeboundary"/>
</div>#

我的函数页面加载是:

     $(document).ready(function() {
            RendertblConstantsColumns('tbl_Gallery', 5, 'GColumn');
            RenderGalleryTable();
        });

function RendertblConstantsColumns(tblid, ColumnNo, Columnid) {
    var tblConstants = document.getElementById(tblid);
    var tr = document.createElement('tr');
    tblConstants.appendChild(tr);
    for (var i = 0; i < ColumnNo; i++) {
        var td = document.createElement('td');
        td.setAttribute('style', 'text-align: right');
        td.setAttribute('id', Columnid + i.toString());
        tblConstants.appendChild(td);
    }
}
        function RenderGalleryTable() {

            var Gallery = document.getElementById("<%=hdnGallery.ClientID%>");
            var Images = Gallery.value.split('#');

            for (var i = 0; i < Images.length - 1; i++) {
                var Mode = i % 5;
                var Column = document.getElementById('GColumn' + Mode.toString());
                Column.innerHTML += Images[i];
            }
        }

我将ValidateRequest =“false”和EnableEventValidation =“false”设置为此页面,但是当页面运行时,显示以下错误消息:

potentially dangerous request.form value was detected from the client

我的堆栈跟踪是:

at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.ValidateHttpValueCollection(HttpValueCollection collection, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.get_Form()
   at System.Web.HttpRequest.get_Item(String key)
   at ASP.global_asax.Application_PreRequestHandlerExecute(Object sender, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

编辑: 我填写隐藏字段在服务器中这样:

string HTML = "";
HTML += "<div onclick=\"GetIcon(this)\" style=\"cursor:pointer;\"" + " URL=" + URL + " ><img " + "src=../App_Images/Gallery/MapIcons/" + ImageName + " " + "title=\"" + ImageName.Split('.')[0] + "\"" + "/></div>#";

hdnGallery.Value = HTML;

2 个答案:

答案 0 :(得分:0)

通常解决方案是对正在发送到服务器的违规数据进行HTML编码。

由于运行时发生错误,请尝试识别触发错误的代码行,可能来自javascript。

答案 1 :(得分:0)

请在web.config文件中进行必要的设置: - 

<system.web>
    <requestValidationMode="2.0" />
</system.web>
相关问题
最新问题