Dot-Net
一個潛在危險的 Request.Form
有人知道為什麼我會收到以下錯誤嗎?我啟用了調試。
Server Error in '/' Application. -------------------------------------------------------------------------------- A potentially dangerous Request.Form value was detected from the client (strContent="<p> test</p> "). Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (strContent="<p> test</p> "). Source Error: The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL: 1. Add a "Debug=true" directive at the top of the file that generated the error. Example: <%@ Page Language="C#" Debug="true" %> or: 2) Add the following section to the configuration file of your application: <configuration> <system.web> <compilation debug="true"/> </system.web> </configuration> Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode. Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario. Stack Trace: [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (strContent="<p> test</p> ").] System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +8725306 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +111 System.Web.HttpRequest.get_Form() +129 System.Web.HttpRequest.get_HasForm() +8725415 System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) +97 System.Web.UI.Page.DeterminePostBackMode() +63 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785 System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +242 System.Web.UI.Page.ProcessRequest() +80 System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21 System.Web.UI.Page.ProcessRequest(HttpContext context) +49 ASP.ajax_create_new_page_aspx.ProcessRequest(HttpContext context) +37 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75 -------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:2.0.50727.3615; ASP.NET Version:2.0.50727.3618
該文章包含 HTML 元素(
<p>在您的情況下為標籤) - 這可能表示跨站點腳本攻擊,這就是 asp.net 預設情況下不允許它的原因。您應該在送出之前進行 HTML 編碼(最佳實踐),或者禁用警告並可能將自己暴露給 XSS。
在 web.config 文件的標記中,插入屬性為 requestValidationMode=“2.0” 的 httpRuntime 元素。還要在 pages 元素中添加 validateRequest=“false” 屬性。
<configuration> <system.web> <httpRuntime requestValidationMode="2.0" /> <pages validateRequest="false" /> </system.web> </configuration>