What is the potentially dangerous request. querystring value detected in the *** client? Error countermeasure)

Source: Internet
Author: User

Exception details: system. Web. httprequestvalidationexception: a potentially dangerous request. querystring value is detected from the client (ID = "<a href =.

Solution:

One solution is in Web. config
Add <system. Web>
<Pages validaterequest = "false"/>
Globally valid

Example:
<? XML version = "1.0" encoding = "gb2312"?>
<Configuration>
<System. Web>
<Pages validaterequest = "false"/>
</System. Web>
</Configuration>

One solution is to add
<% @ Page Language = "C #" validaterequest = "false" %>
Valid only for this page.

<% @ Page validaterequest = "false" Language = "C #" codebehind = "index. aspx. cs" autoeventwireup = "false" inherits = "mybbs. webform1" %>

Note:

The. NET Framework help documentation is clear:

In Web applications, prevent scripts from using most scripts when users can insert executable code (scripts) into your applications. By default, ASP. NET provides request verification. This verification will cause an error no matter what type of HTML is contained in the form.
You can use the following methods to prevent script exploitation:
Apply HTML encoding to strings before accepting or displaying them so that the strings do not include any executable elements.
If your application needs to accept some HTML, disable request verification and create your own HTML filter.
The procedures in this topic describe how to execute these tasks.
Apply HTML Encoding
HTML encoding uses HTML to retain characters to convert HTML elements so that they are displayed rather than executed.
Apply HTML Encoding
Call the htmlencode method of the server object before displaying the string. The HTML element is converted into a string representation that the browser will display (not interpreted as HTML.
The following example describes HTML encoding. Encode a user input in an instance before it is displayed. In the second instance, encode the data in the database before it is displayed.
Note that this example takes effect only when alidaterequest = "false" is added to the @ page command to disable request verification on the page. Do not disable request verification without adding your own checks or filters.
/'Visual basic
Private sub button#click (byval sender as system. Object, byval E _
As system. eventargs) handles button1.click
Label1.text = server. htmlencode (textbox1.text)
Label2.text = _
Server. htmlencode (dscustomers. MERs (0). companyName)
End sub

// C #
Private void button#click (Object sender, system. eventargs E)
{
Label1.text = server. htmlencode (textbox1.text );
Label2.text =
Server. htmlencode (dscustomers1.mers MERs [0]. companyName );
}
Filter HTML elements
By default, the web forms page detects any HTML elements and reserved characters in the information sent to the server. This prevents users from attempting to embed scripts into your applications. When the page detects HTML, it will cause an error. You can use the page_error or application_error handler to capture this error. For more information, see show security error information.
However, if your application needs to accept some HTML elements, you can disable request verification and create a filter that only allows the HTML elements to be accepted.
Be sure not to create a filter that tries to filter only unacceptable elements, because it is very difficult to predict every possible error input. Conversely, if you create a filter, you create a filter that defines acceptable input.
Filter HTML elements
Add the property validaterequest = "false" to the @ page command to disable request verification.
Security instructions do not disable automatic request verification without adding your own checks or filters.
Use the htmlencode method to encode the string.
Call the string. Replace method to convert the encoded HTML tags to their HTML format.
Note: If you are familiar with regular expressions, you can use a regular expression to efficiently perform filtering. For more information, see. NET Framework regular expressions.
The following example shows a simple filter that accepts bold and underlined elements (<B>, </B>, <u>, and </u> ). Encode all other user input before they are displayed.
Security description many HTML tags allow scripts to be used in their attributes. For example, marking is legal. If you want to accept HTML tags that are more complex than simple format settings, you must ensure that malicious users cannot pass scripts to your application by using the allowed HTML tags.
/'Visual basic
Private sub button#click (byval sender as system. Object, byval e as system. eventargs) handles button1.click
Dim userinput as string = textbox1.text
Userinput = server. htmlencode (userinput)
/'Accepts <B>, </B>, <u>, </u>, case-insensitive
Userinput = userinput. Replace ("<B>", "<B> ")
Userinput = userinput. Replace ("</B>", "</B> ")
Userinput = userinput. Replace ("<B>", "<B> ")
Userinput = userinput. Replace ("</B>", "</B> ")
Userinput = userinput. Replace ("<u>", "<u> ")
Userinput = userinput. Replace ("</u>", "</u> ")
Userinput = userinput. Replace ("<u>", "<u> ")
Userinput = userinput. Replace ("</u>", "</u> ")
Label1.text = userinput
End sub

// C #
Private void button#click (Object sender, system. eventargs E)
{
String userinput = textbox1.text;
Userinput = server. htmlencode (userinput );
// Accepts <B>, </B>, <u>, </u>, case-insensitive
Userinput = userinput. Replace ("<B>", "<B> ");
Userinput = userinput. Replace ("</B>", "</B> ");
Userinput = userinput. Replace ("<B>", "<B> ");
Userinput = userinput. Replace ("</B>", "</B> ");
Userinput = userinput. Replace ("<u>", "<u> ");
Userinput = userinput. Replace ("</u>", "</u> ");
Userinput = userinput. Replace ("<u>", "<u> ");
Userinput = userinput. Replace ("</u>", "</u> ");
Label1.text = userinput;
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.