Measure the test taker's knowledge about ASP. NET security.

Let's take a look at the validaterequest attribute. (Note: This attribute is added in. net 2.0 !)

1. Its namespace is System. Web. Configuration.

2. Assembly: System. Web is in system. web. dll)

3. Class: pagesSection

I have a general understanding of this attribute above. Next we will analyze it in detail. This attribute is used to verify the input of client users, it is used to verify whether there are dangerous characters in user input. The default value of this attribute is true. Microsoft does this to improve ASP. so many programmers do not know how to defend against hacker attacks.

Some default attributes of ASP. NET and other content have been controlled for security, which is why ASP. NET programs are relatively secure. Since the default value of this attribute is true, and ASP. NET page is frequently resent, so if there is no user interaction, ASP. NET does not require strict processing every time, it may also consume the execution time of the system back and forth. As for: If there is no client interaction, ASP. will NET verify that this is a problem for Microsoft engineers.

For us, if there is no client interaction, I feel that this attribute should be set to false, so no matter how Microsoft engineers design it, it has no impact on our program itself.

However, when users need to interact with each other, we need to use its default value. However, things may not be as simple as we think, nor perfect, when a user uses some html editors, there are <xxxxxxx> and other such characters in the submitted characters. This requires the programmer to disable the validaterequest attribute, what should we do to control ASP at this time. NET security performance?

Of course, we can filter all dangerous characters here, which may improve ASP. NET security, but we prevent omissions in user input, which leads to security issues. We can also consider how many special characters we need to submit, then, escape or replace the special characters we submit, so that we can set the validaterequest attribute to true, this not only solves the security issues of the program but also satisfies our needs.

Sometimes, when interacting with users, users may inevitably enter special characters, because the value of validaterequest we set is true, so the page will not give any prompt, directly output a large page of error information, which may lead to users' misunderstanding. They may think that the website is faulty and the user cannot think that he has entered invalid characters! What should we do in this case?

Fortunately, Microsoft engineers gave another Page_Error event in the page, so that we can use it to capture exceptions. The Code is as follows:

 
 

  
  
Protected void Page_Error (object sender, EventArgs e)
  
  
{
  
  
ExceptionEx=Server. GetLastError ();
  
  
If (ex is HttpRequestValidationException)
  
  
{
  
  
Response. Write ("the characters you entered have invalid characters! ");
  
  
Server. ClearError ();
  
  
}
  
  
}
 
 

1. Analysis of configuration files in ASP. NET
2. . Net ria Services is as convenient as ASP. NET
3. Overview of the UpdatePanel control in ASP. net ajax Extensions
4. ASP. NET calls the UpdatePanel Update () method
5. Introduction to the ASP. net ajax wcf Service