处理“从客户端检测到潜在危险的 Request.Form 值”;
我正在尝试找出如何处理这个错误。
从客户端检测到潜在危险的 Request.Form 值
当用户输入 html 或 xml 标记(
或
我在 ASP.NET MVC 2.0 中使用模型绑定验证以及 Html.EnableClientValidation。只要没有输入标记,这种方法就可以正常工作。
避免此错误消息的最佳方法是什么?
我的猜测是编写一个新的验证类来检查这种标记?
我想捕获这个特定实例中的错误。为了澄清,有一个带有站点管理员表单的区域可以输入标记,而有一个普通用户区域不能输入标记。但是,当普通用户输入标记时,会出现此错误页面。我的问题是,如何处理此问题以防止网站崩溃并显示错误页面。我想显示更清晰的错误。
I am trying to figure out how to handle this error.
A potentially dangerous Request.Form value was detected from the client
The error occurs when a user enters in html or xml tags( <p> or <HeyImXML>) and tries to submit a form. The input is not supposed to contain any sort of markup at all, just plain text.
I am using model binding validation in ASP.NET MVC 2.0 along with Html.EnableClientValidation. This works fine as long as there is no markup entered.
What is the best approach on how to avoid this error message?
My guess is to write a new validation class which checks for this kind of markup?
I want to catch the error in this specific instance. To clarify there is an area with a form for siteadmins that can enter markup and there is a normal users area where they can not enter markup. However this error page appears when a normal users enters markup. My question is, how do I handle this to prevent the site from crashing and showing the error page. I want to display a cleaner error.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
MVC 将自动保护您的应用程序免受某些 html 注入 和跨站点脚本 (XSS) 攻击。这就是为什么在尝试发布 html/javascript 时,默认情况下您会收到“从客户端检测到潜在危险的 Request.Form 值 (...)”的原因。
然而,我们有时可能希望允许我们的用户发布 html。您可能只想允许用户使用诸如“>”之类的字符,或者可能是因为您实现博客功能并希望支持诸如
、
将
[ValidateInput(false)]属性添加到您正在调用的控制器中的操作方法。这将禁用整个模型对特定操作的请求验证。另一种方法是将
[AllowHtml]属性添加到模型中需要 html 的属性。这两个属性只允许 html/javascript 进入您的应用程序,但 MVC 仍然会使用 html 编码安全地输出它们。如果您想像 html 一样输出它,您可以使用 @Html.Raw(@Model.Content)。 但请谨慎使用,因为这将使您的应用程序遭受跨站点脚本攻击( XSS)!
我从 某人的博客
也看到下面的代码 找到了这个解决方案您的解决方案
您可以通过以下方式处理应用程序中的错误
1。在应用程序的 Web.Config 文件中设置 CustomErros 模式部分
这是模式属性可以接受的选项列表。
RemoteOnly:为远程用户显示一般错误页面。针对本地请求(从当前计算机发出的请求)显示丰富的错误页面。这是默认设置。
关闭:向所有用户显示丰富的错误页面,无论请求的来源如何。此设置在许多开发场景中很有帮助,但不应在已部署的应用程序中使用。
开启:向所有用户显示通用错误页面,无论请求来源如何。这是最安全的选择。
2.通过 Application_Error 函数中的 Global.asax 文件
我希望这对您有用。
来自 stackoverflow 解决方案
MVC will automatically protect your application from some html injection and cross-site scripting (XSS) attacks. This is why you will get the "A potentially dangerous Request.Form value was detected from the client (...)" by default when attempting to post html/javascript.
However, we may sometimes want to allow our users to post html. You might just want to allow users to use characters such as "›", or it might be because your implementing blog functionality and want to support tags like ‹h1›, ‹div›, etc. This can easily be accomplished with MVC by disabling request validation.
Add
[ValidateInput(false)]attribute to the action method in the controller you are calling. This will disable request validation for the entire model on the specific action.Another way is to add the
[AllowHtml]attribute to the property which requires html in your model.These two attributes will only allow html/javascript to GET IN to your application, but MVC will still output them safely by using html encoding. If you want to output it like html, you can use the @Html.Raw(@Model.Content). But use this with caution, since this will open your application to cross-site scripting attacks (XSS)!
i found this solution from some one's blog
also see below code for your solution
you can handle errors within your application in the following way
1. Setting the CustomErros mode section in your Web.Config file of your application
This the lists of options the mode attribute can accept.
RemoteOnly: Generic error pages are shown for remote users. Rich error pages are shown for local requests (requests that are made from the current computer). This is the default setting.
Off: Rich error pages are shown for all users, regardless of the source of the request. This setting is helpful in many development scenarios but should not be used in a deployed application.
On: Generic error pages are shown for all users, regardless of the source of the request. This is the most secure option.
2. throught Global.asax file in the Application_Error function
I hope this works for you.
from stackoverflow solution
这是 早期在 ASP.Net 中引入的,旨在尝试 帮助防止脚本注入攻击。这并不是 MVC 所独有的。
如果您不需要此功能,可以将其关闭并编写自己的功能。
要禁用页面上的请求验证,请将 Page 指令的 validateRequest 属性设置为 false:
要禁用应用程序的请求验证,请修改 Web.config - 设置 validateRequest 属性将
This was introduced early on in ASP.Net to try to help prevent script injection attacks. It isn't unique to MVC.
If you don't want this feature, you can turn it off and write your own.
To disable request validation on a page, set the validateRequest attribute of the Page directive to false:
To disable request validation for your application, modify Web.config - set the validateRequest attribute of the
<pages />section to false: