.NET 2 / VB:RequestValidation = false替代品

时间:2012-08-14 20:43:37

标签: asp.net .net vb.net

我遇到一个网络应用程序的问题,经常只用一个aspx页面喷出以下样式错误:

Browser: IE
Url Referrer: redacted
User Host 1.1.1.1
User Host Name: 1.1.1.1
Last Error: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl11$lbl="...na Redacte w..."). at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.pages_front_closingques_default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Stack Trace: at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.pages_front_closingques_default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Source: System.Web
Message: A potentially dangerous Request.Form value was detected from the client (ctl11$lbl="...na Redacte w...").

通常情况下,我怀疑用户必须做一些愚蠢的事情,比如在其中添加HTML标记,但这种情况经常发生,并且电子邮件中没有报告HTML标记。

我知道我可以使用ValidateRequest RequestValidation="false"指令关闭 off Page,但这也是不受欢迎的,因为我想要一些验证,只是没有结束 - 敏感验证。

我是否可以通过某种方式覆盖ValidateRequest的默认实现?有没有人遇到ValidateRequest之前错误地产生错误?最后,有人知道ValidateRequest的实现是什么样的吗?

1 个答案:

答案 0 :(得分:1)

由于您说误报仅来自一个页面,我会保持网站级别的web.config设置启用,并禁用此页面的页面级别验证。

然后您需要对页面上的用户输入负责:

  • 对所有字段进行自己的(服务器端)验证,例如正则表达等。
  • 在写出之前清除已知为用户发起的输入的任何数据,例如:与WPL
相关问题
最新问题