The reason of failure of verification mechanism under asp.net4.0 frame and its treatment method _ practical skills

Asp. NET request validation provides us with the security of the application and avoids the site being attacked by XSS cross-site scripting. But sometimes, for example, we need to use the online text editor such as CKEditor to let the user input some HTML text, under the ASP.net 2.0 frame, by setting validaterequest= "false" in Web.config. Or in MVC, we can do this by setting the [ValidateRequest (false)] feature on controller or action. But under the ASP.net 4.0 framework, you will find that even if you do, you will still be prompted with an exception like "a potentially dangerous request.form value is detected from the client". What the hell is going on here?

It turns out that the asp.net4.0 application lifecycle has changed, and in previous versions of ASP.net, request validation was enabled by default, but it is only valid for page requests (request. aspx pages) and is only validated when the page is requested. But in ASP.net 4.0, The request validation function is advanced to Ihttphandler.beginrequest before this method is requested, which means that all HTTP requests entering the ASP.NET request channel will be validated by the legality of the request content, including some custom Httphandler,webservic e request, and even use custom HTTP module for custom request handlers.

The consequence of the request verification processing being advanced is that we set the Validaterequest=false in the page, or controller, and will fail to prevent the program from validating the requested input. Because of this, the validator cannot get the requested page to disable the authentication request because the HttpHandler is not yet instantiated. And in asp.net4.0, there's no way to give me a place to disable this validation feature. However, for compatibility reasons, ASP. NET allows us to configure the request validation behavior using ASP.net 2.0 in Web.config: