Validaterequest = false is not in. net2.0. What should I do?

Validaterequest = false is not in. net2.0. What should I do?

The ASP. NET Request verification function can provide applications to me.ProgramTo prevent the website from being attacked by XSS.

However, in some cases, we need to disable this function. For example, we need to use htmleditor to allow users to enter some HTML text. In this case, Asp. NET 2.0 allows us. config system. set validaterequest = "false" in the Web node ".

Or in MVC, we can set [validaterequest (false)] on the Controller or action to disable it.

However, when you upgrade the site from the old version to ASP. net 4.0, you will find that even if you do this, you will still be prompted for such an exception "a potentially dangerous request. form value was detected from the client ".

How can we solve this problem?

In fact, the main cause of validaterequest = False Failure is that ASP. NET 4.0 page verification fails to get the value of validaterequest before httphandler instantiation. For more information about httphandler, refer to this blog post: http://www.cnblogs.com/gis_zhou/articles/1589773.html--thank him

 

In the previous ASP. NET versions, request verification is enabled by default, but it is only valid for page requests (request. ASPX page), and is only verified when the page is requested.

but in ASP. in. Net 4.0, the request verification function is advanced to ihttphandler. before the beginrequest method is requested, this means that all access to ASP. all HTTP requests of the. NET Request channel will be verified for the validity of the request content, including some custom httphandler and WebService requests, you can even use the custom HTTP module to customize the request processing program. The early result of request verification processing is that we set validaterequest = false in the page or controller, which will invalidate and will not prevent the program from verifying the request input. After this is done, the validators cannot obtain whether the requested page has disabled the authentication request because httphandler has not yet been instantiated. In addition, ASP. net4.0 does not provide me with a place to disable this authentication function. However, for compatibility considerations, ASP. NET allows us to configure the request verification behavior using ASP. NET 2.0 in Web. config: .