为什么 ValidateInput(False) 不起作用?
我正在将使用 webforms 创建的应用程序转换为使用 vb.net 的 asp.net mvc 框架。 我的其中一个观点有问题。 当我提交表单时,出现黄屏死机,提示“从客户端检测到潜在危险的 Request.Form 值”。 我使用tinymce 作为我的RTE。 我已经设置了视图本身
验证请求=“假”
我知道在 MVC 中,从我到目前为止所读到的内容来看,它并不尊重它。 所以我也把它放在控制器动作上。 我尝试了不同的设置:
<ValidateInput(False), AcceptVerbs(HttpVerbs.Post)> _
...并且
<AcceptVerbs(HttpVerbs.Post), ValidateInput(False)> _
......也像这样...
<ValidateInput(False)> _
<AcceptVerbs(HttpVerbs.Post)> _
只是为了看看它是否有所不同,但我仍然遇到黄屏死亡。 我只想为此视图以及我的帖子所属的控制器中的特定操作设置它。 我错过了什么吗?
I am converting an application I created using webforms to the asp.net mvc framework using vb.net. I have a problem with one of my views. I get the yellow screen of death saying "A potentially dangerous Request.Form value was detected from the client" when I submit my form. I am using tinymce as my RTE. I have set on the view itself
ValidateRequest="false"
I know that in MVC it doesn't respect it on the view from what I've read so far. So I put it on the controller action as well. I have tried different setups:
<ValidateInput(False), AcceptVerbs(HttpVerbs.Post)> _
...and...
<AcceptVerbs(HttpVerbs.Post), ValidateInput(False)> _
...and like this as well...
<ValidateInput(False)> _
<AcceptVerbs(HttpVerbs.Post)> _
Just to see if it made a difference, yet I still get the yellow screen of death. I only want to set it for this view and the specific action in my controller that my post pertains to. Am I missing something?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
对于 asp.net 4,您还需要在 web.config 中配置验证模式。
将以下内容设置为
Asp.Net 4 默认情况下将 requestValidationMode 设置为
4.0,这会告诉系统执行请求验证在 HTTP 请求的 BeginRequest 阶段之前。 验证将在系统到达操作属性之前进行,告诉它不要验证请求,从而使该属性变得无用。 设置 requestValidationMode="2.0" 将恢复为 asp.net 2.0 请求验证行为,从而允许 ValidateInput 属性按预期工作。With asp.net 4, you'll need to configure the validation mode in the web.config as well.
Set the following as a child of the
<system.web>element:Asp.Net 4 sets the requestValidationMode to
4.0by default, which tells the system to perform request validation before the BeginRequst phase of the HTTP request. The validation will occur before the system reaches the action attribute telling it not to validate the request, thus rendering the attribute useless. Setting requestValidationMode="2.0" will revert to the asp.net 2.0 request validation behavior, allowing theValidateInputattribute to work as expected.您确定要发布到的控制器操作是您具有属性的控制器操作吗?
Are you sure that the controller action being posted to is the one you have the attributes on?
当您使用自己的实现 IModelBinder 接口的模型绑定程序时,您会注意到这些自定义模型绑定程序始终验证数据,无论任何属性如何。
您可以添加几行代码,使自定义模型绑定器遵循操作的 ValidateInput 过滤器:
Martijn Boland 在此对此进行了很好的解释:http://blogs.taiga.nl/martijn/2011/09/29/custom -模型绑定器和请求验证/
When you are using your own model binders which implement the IModelBinder interface you will notice that those custom model binders always validate the data, regardless any attributes.
You can add few lines of code to make the custom model binders respect the ValidateInput filter of the actions:
This is explained very nicely by Martijn Boland here: http://blogs.taiga.nl/martijn/2011/09/29/custom-model-binders-and-request-validation/
您可以尝试访问该字段,例如
HttpContext.Request.Unvalidated.Form["FieldName"]
You can try accessing the field like
HttpContext.Request.Unvalidated.Form["FieldName"]
请注意,这些建议不会解决当您必须将 [ValidateInput(false)] 与 FormCollection 结合使用时出现的错误所导致的问题。
请参阅: ASP.NET MVC 3 ValidateRequest(false) 无法使用表单集合
Please note that these suggestions will not fix the problems caused by a bug that occurs when you have to use [ValidateInput(false)] in combination with a FormCollection.
See: ASP.NET MVC 3 ValidateRequest(false) not working with FormCollection
将以下代码行添加
到 Application_Start() 方法中。
呵呵不错
Add the following line of code:
to the Application_Start() method.
Hehe good
如果您使用输入模型并在所需的属性上使用AllowHtml,您将不会被阻止。
If you use an input model and use an AllowHtml on the property you want, you will be unblocked.