一个有潜在危险的Request.Form

时间:2011-02-04 11:23:01

标签: .net asp.net vb.net jquery

任何人都知道我为什么会收到以下错误?我已启用调试功能。

Server Error in '/' Application.
--------------------------------------------------------------------------------

A potentially dangerous Request.Form value was detected from the client (strContent="<p>
test</p>
"). 
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. 

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (strContent="<p>
test</p>
").

Source Error: 

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:

1. Add a "Debug=true" directive at the top of the file that generated the error. Example:

  <%@ Page Language="C#" Debug="true" %>

or:

2) Add the following section to the configuration file of your application:

<configuration>
   <system.web>
       <compilation debug="true"/>
   </system.web>
</configuration>

Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.

Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.  

Stack Trace: 


[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (strContent="<p>
    test</p>
").]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +8725306
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +111
   System.Web.HttpRequest.get_Form() +129
   System.Web.HttpRequest.get_HasForm() +8725415
   System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +97
   System.Web.UI.Page.DeterminePostBackMode() +63
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785
   System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +242
   System.Web.UI.Page.ProcessRequest() +80
   System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
   System.Web.UI.Page.ProcessRequest(HttpContext context) +49
   ASP.ajax_create_new_page_aspx.ProcessRequest(HttpContext context) +37
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75



--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:2.0.50727.3615; ASP.NET Version:2.0.50727.3618

7 个答案:

答案 0 :(得分:16)

该帖子包含HTML元素(在您的情况下为<p>标记) - 这可以表示cross site scripting attack,这就是为什么asp.net默认不允许它。

您应该在提交之前进行HTML编码(最佳做法),或者禁用警告并可能使自己暴露于XSS。

答案 1 :(得分:5)

在web.config文件中,在标记内插入httpRuntime元素,其属性为requestValidationMode =“2.0”。还要在pages元素中添加validateRequest =“false”属性。

<configuration>
  <system.web>
   <httpRuntime requestValidationMode="2.0" />
   <pages validateRequest="false" />
  </system.web>
</configuration>

答案 2 :(得分:3)

这是因为您的POST请求中包含HTML标记。要允许它,您需要在ValidateRequest= false指令中设置@Page。但请记住,这可能会使您的网站暴露于跨站点脚本攻击。

答案 3 :(得分:2)

在模型中放置[AllowHtml]属性。

答案 4 :(得分:0)

确保你正在改变               在实际的Web.config中。我在Web.debug.config和Web.release.config文件中更改它,它将无法正常工作。

答案 5 :(得分:0)

我必须在我的web.config文件中进行一些搜索,特别是在system.web xml部分内,以找到我可以更新<pages>指令的位置......正如您所指出的那样。只要我将validateReqest = "false"属性添加到web.config文件中的pages指令中,它就会使所有内容重新整合。

在我的特定情况下,它不在生产服务器上,但这也不是“生产”级代码。它是一个私有的本地服务器,我只是作为环境中的唯一用户,这让我对更新该设置感觉更好。如下:

<system.web>
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" validateRequest="false" />
</system.web>

答案 6 :(得分:0)

我有一个带有formdata的ajax请求,所以它已经起作用 在从请求中检索数据之前使用 unvalidated 关键字。 因此,您可以在此处使用tinymce文本数据尝试这种方式,也不需要修改您的Web配置文件。 我的代码如下:

var data=Request.Unvalidated.Form["Key_word"];
相关问题
最新问题