“潜在危险的Request.RawUrl”的可能原因是什么?
在 asp.net Web 表单应用程序中,我们有时会收到一条错误消息,其中包含“潜在危险的 Request.RawUrl”,但我找不到它的来源。
造成这种异常的可能原因有哪些?
我们案例中的一些细节:
Event message: A validation error has occurred Exception type: System.Web.HttpRequestValidationException Exception message: A potentially dangerous Request.RawUrl value was detected from the client (="..._Combin%20%20%20%20%20%2..."). Request URL: https://somesite/somepage.aspx ?_TSM_HiddenField_=ctl00_sm1_HiddenField &_TSM_Combin%20</div>%20%20%20%20%20%20%20%20<div%20id= Stack trace: at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.get_RawUrl() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.somepage_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
我在生成的页面的 html 中识别出带有 TSM_HiddenField 的部分:
<script src="/somepage.aspx?_TSM_HiddenField_=ctl00_sm1_HiddenField&_TSM_CombinedScripts_= %3b%3bAjaxControlToolkit%2c+Version%3d3.5.11119.20050%2c+Culture%3dneutral%2c +PublicKeyToken%3d28f01b0e84b6d53e%3ada-DK%3a8e147239-dd05-47b0-8fb3-f743a139f982 %3ae2e86ef9%3a1df13a87%3a8ccd9c1b%3ac4c00916%3a9ea3f0e2%3a9e8e87e9 %3a4c9865be%3aba594826%3ac76f1358" type="text/javascript"></script>
... 所以在这种情况下它似乎与 AjaxControlToolkit 有关,但是如何会发生这种异常?
(它发生在用户登录时,所以我怀疑是否涉及一些爬虫或黑客尝试......)
In an asp.net web forms application we get an error message with "A potentially dangerous Request.RawUrl" sometimes, but I cannot find the source of it.
What are the possible reasons for this exception?
Some details from our case:
Event message: A validation error has occurred Exception type: System.Web.HttpRequestValidationException Exception message: A potentially dangerous Request.RawUrl value was detected from the client (="..._Combin%20%20%20%20%20%2..."). Request URL: https://somesite/somepage.aspx ?_TSM_HiddenField_=ctl00_sm1_HiddenField &_TSM_Combin%20</div>%20%20%20%20%20%20%20%20<div%20id= Stack trace: at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.get_RawUrl() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.somepage_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I recognise the part with TSM_HiddenField in the html of the generated page:
<script src="/somepage.aspx?_TSM_HiddenField_=ctl00_sm1_HiddenField&_TSM_CombinedScripts_= %3b%3bAjaxControlToolkit%2c+Version%3d3.5.11119.20050%2c+Culture%3dneutral%2c +PublicKeyToken%3d28f01b0e84b6d53e%3ada-DK%3a8e147239-dd05-47b0-8fb3-f743a139f982 %3ae2e86ef9%3a1df13a87%3a8ccd9c1b%3ac4c00916%3a9ea3f0e2%3a9e8e87e9 %3a4c9865be%3aba594826%3ac76f1358" type="text/javascript"></script>
... so it seems to be related to AjaxControlToolkit in this case, but how can this exception happen?
(It happens when a user is logged in, so I doubt there is some crawler or hack attempt involved...)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
看起来您在提交的表单字段中有 HTML 标记,可能是这个:
是罪魁祸首。
Looks like you have HTML markups in the submitted form fields, could be this one:
The
<div>
's the culprit.我认为它与 ASP.NET 请求验证有关: http://www.asp.net/learn/whitepapers/request-validation/
如果 HTML 标签随请求一起发送,它会抛出异常。
I think it has to do with ASP.NET request validation: http://www.asp.net/learn/whitepapers/request-validation/
It throws the exception if e. g. HTML tags are sent with the request.