ASP.NET MVC ValidateInput(false) 停止使用 xVal 和 [RegularExpression] DataAnnotation

发布于 2024-07-25 18:51:29 字数 698 浏览 12 评论 0原文

我想截取“<” 正则表达式验证器在表单字段中输入字符。 我将分 3 个步骤描述该问题:

第 1 步:当我尝试提交包含“<”字段的表单时 字符,我收到“潜在危险的请求...” - 正如 ASP.NET 中所预期的那样。

第 2 步:为了避免 ASP.NET 的 RequestValidation,我用“[ValidateInput(false)]”修饰控制器中的 Update 方法。

它按预期工作 - 现在我可以发布“<” 字符无错误。

第 3 步:我将 xVal 与 DataAnnotations 结合使用。 例如,[Required] 或 [StringLength(255)] 按预期工作。

但是当我使用时: [RegularExpression("^[^<>]*$", ErrorMessage = "不允许使用特殊字符。")], 我再次收到“潜在危险请求...”错误< /strong>,尽管有 [ValidateInput(false)] 指令。

发生了什么? 是否有更简单的正则表达式验证方法,但使用 [ValidateInput(false)] ? 当然,我希望将验证代码放在模型中,而不是控制器中。

I would like to intercept the "<" character in the form field by a regex validator. I will describe the problem in 3 steps:

Step 1: When I try to submit a form with a field containing the "<" character, I get the "Potentially dangerous request..." - as expected in ASP.NET.

Step 2: To avoid ASP.NET's RequestValidation, I decorate my Update method in the controller with "[ValidateInput(false)]".

It works as expected - now I can post "<" character without error.

Step 3: I use xVal with DataAnnotations. For example, [Required] or [StringLength(255)] works as expected.

BUT when I use:
[RegularExpression
("^[^<>]*$", ErrorMessage = "Special characters are not allowed.")], I get the "Potentially dangeros request..." error again, despite the [ValidateInput(false)] directive.

What's happening? Is there a simpler way for regex validaton, but with [ValidateInput(false)] in place? Of course, I'd like to have my validation code in the model, not in the controller.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

吝吻 2024-08-01 18:51:29

不,这是 MVC 1 + xVal 中的问题。
在 MVC 2 中,验证的工作方式如下
假设(并且不需要 xVal
不再) – Alex42

看起来机器人仍在继续将这个推到顶部。 您能否将答案标记为已接受,以便它知道?

No, it was an issue in MVC 1 + xVal.
In MVC 2 the validation works as
supposed (and there's no need for xVal
anymore) – Alex42

Looks like the bot keeps on pushing this one to the top still. Could you mark an answer as accepted so that it knows?

向地狱狂奔 2024-08-01 18:51:29

我正在使用 xVal & nhibernate.validator 和我尝试重现此行为,但因为验证器绑定到客户端,所以我无法获得经过客户端验证的值。 当我禁用 javascript 时,它进入服务器端验证,并被正则表达式验证器捕获。

我尝试使用数据注释验证属性和模型绑定器进行同样的操作,它也成功了。

一定还有其他原因导致了错误。 抱歉,我无法提供更多帮助!

I'm using xVal & nhibernate.validator and i tried to reproduce this behavior but because the validator is tied into the client side I couldn't get a value of past the client side validation. when i disabled javascript, it got to the server side validation, and was caught by the regular expression validator.

I tried the same thing with using the data annotations validation attributes and model binder and it made it past as well.

there must be something else going on that is causing the error. Sorry I couldn't be more helpful!

如果没有你 2024-08-01 18:51:29

尝试使用简单的规则进行验证这个方法。 这至少可以从方程中消除xVal。 如果问题仍然存在,那么我建议它与以下任一相关:

  • MVC 默认 Model Binder 的实现
  • ,或者您使用的版本中的 MVC 视图引擎存在问题,这在某种程度上允许您指定的属性出现异常在不应该的情况下验证 <

Try validating using a simple rule with this method. This can at least eliminate xVal from the equation. If the problem persists then i'd suggest it's related to either:

  • the implementation of MVC's default Model Binder
  • or there is a problem with the MVC view engine in the release your using that's somehow allowing an exception to be made for the attribute you specified by validating the < when it shoudn't be
呆头 2024-08-01 18:51:29

如果它只是一个字段,您可以编写一个例程来查找字符 '<; 或>' 并将其删除。 您可以通过使用子字符串来实现这一点。 希望这有助于

  • 使用 For 循环来测试要测试的文本长度(for (int i=1, i <= text.length, ++))
  • 验证以 1 开头的每个字符(例如 ch = text.substring(i,1 )
  • 将每个读取的字符添加到 tmp 字符串,除了 '< 或 >'

if it just a field, you could just write a routine to look for a character '< or >' and remove it. you can achieve this by by making use of substring. hope this this helps

  • use For loop to length of text to be tested (for (int i=1, i <= text.length, ++))
  • verify each character begining 1 (e.g ch = text.substring(i,1)
  • add each read character to tmp string except '< or >'
短叹 2024-08-01 18:51:29

我想静态方法 Escape() 可以为您解决这个问题。

  Regex r = new Regex(Regex.Escape(expression));

I suppose the static method Escape() would solve this for you.

  Regex r = new Regex(Regex.Escape(expression));
爺獨霸怡葒院 2024-08-01 18:51:29

将此行放入 web.config

<httpRuntime requestValidationMode="2.0" />

这是 ASPNET 4.0 中的更改

Put this line in web.config

<httpRuntime requestValidationMode="2.0" />

This is change in ASPNET 4.0

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文