In the past, when vs2005 was used, the solution encountered the same problem:
Set in page level (aspx)
Validaterequest = "false"
Or
Set at the global level (in Web. config)
<Configuration>
<System. Web>
<Pages validaterequest = "false">
However, when I set it and re-run it, the problem still persists and the same error is prompted. So I searched the internet for relevant information:
It turns out that when you install. net Framework 4.0 or later, when your application uses.. NET Framework 4.0 is the Framework version. Any server request will be verified by the server request (validationrequest). This includes not only ASP. net, also including web services and other HTTP requests, not only for the ASPX page, but also for the HTTP handler, HTTP module, etc., because of this verification (valify) process, it will occur before the beginrequest event.
In ASP. net4.0, We need to configure more lines (validaterequest = "false" must be set at the page level): set at the global level (in Web. config ).
<Configuration>
<System. Web>
<Httpruntime requestvalidationmode = "2.0" type = "codeph" text = "/codeph"/>
Now, the problem is solved.The preceding methods are risky. We recommend that you use the following safe solutions:
Error:
System. Web. httprequestvalidationexception: a potentially dangerous request. form value was detected from the client
Method 2: the correct method is to add the page_error () function on your current page to capture the exceptions that are generated during the processing of all pages without being processed. Then, the user is given a valid error message. If the current page does not contain page_error (), this exception will be sent to application_error () of global. asax for processing. You can also write a common exception reporting and error handling function there. If no exception handling function is written in both locations, the default error page is displayed.
For example, to handle this exception, you only need a short piece of code. Add the following code to the code-behind page:
The following is a reference clip:
Protected void page_error (Object sender, eventargs E)
{
Exception EX = server. getlasterror ();
If (ex is httprequestvalidationexception)
{
Response. Write ("enter a valid string. ");
Server. clearerror (); // if the error is not clearerror (), it will be passed to application_error ().
}
} |
In this way, the program can intercept the httprequestvalidationexception and return a reasonable error message as the programmer wishes.
This code is very simple, so I hope that all friends who do not really want to allow user input and other characters should not prohibit this security feature at will. If you only need to handle exceptions, use the code similar to the above to process it.
For programmers who explicitly prohibit this feature, they must understand what they are doing and manually check the strings that must be filtered, otherwise, your website is vulnerable to cross-site scripting attacks.
What should I do with pages with rich text editor?
If the page has a control of the Rich Text Editor, the HTML tag of the class will be submitted back. In this case, we have to set validaterequest = "false ". So how to deal with security? In this situation, how can we prevent cross-site scripting attacks to the maximum extent?
According to Microsoft's suggestion, we should adopt the"Disabled by default, explicitly allowed.
First, we encode the input string with httputility. htmlencode (), and completely disable the HTML Tag.
Then we replace the security tags that we are interested in with Replace. For example, if we want a "tag", we will explicitly replace it "".
The sample code is as follows:
The following is a reference clip:
Void submitbtn_click (Object sender, eventargs E)
...{
// Encode the input string so that all HTML tags are invalid.
Stringbuilder sb = new stringbuilder (
Httputility. htmlencode (htmlinputtxt. Text ));
// Then we can selectively allow <B> and <I>
SB. Replace ("<B>", "<B> ");
SB. Replace ("</B> ","");
SB. Replace ("<I>", "<I> ");
SB. Replace ("</I> ","");
Response. Write (sb. tostring ());
} |
In this way, some HTML tags and dangerous tags are allowed.
Based on the suggestions provided by Microsoft, we should be careful to allow the following HTML tags, because these HTML tags may cause cross-site scripting attacks.
The following is a reference clip:
[*] <Applet>
[*] <Body>
[*] <Embed>
[*] <Frame>
[*] <Script>
[*] <Frameset>
[*] <Html>
[*] <IFRAME>
[*] <IMG>
[*] <Style>
[*] <Layer>
[*] <Link>
[*] <Ilayer>
[*] <Meta>
[*] <Object> |
is the most incomprehensible. However, you should understand the risks after reading the following code.
The following is a reference clip:
|
The label may cause JavaScript Execution, so that attackers can do anything they want to disguise. The same is true for <style>:
The following is a reference clip:
<Style type = "text/JavaScript">...
Alert ('hello ');
</Style> |
|
