logo
本站首页 | 代码实验室 | CSS3 中文参考 | 书籍出版 | Google 英文翻译版 | 给我留言

[转帖]requestValidationMode 导致 ValidateRequest=False 失效或者ASP.NET 4.0事件消息: 发生了验证错误;检测到有潜在危险的Request.Form值

作者:kwanann 阅读:3378 发表于:2010-09-19 12:46:15

The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing.

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:

XML/XHTML 代码
<httpRuntime requestValidationMode=”2.0″ />


IMPORTANT:

Because this is now in the BeginRequest phase of a HTTP request, pages with validationRequest=”false”  will still get the dreaded message. The only way is to

   1. Set requestValidationMode=”2.0″ in which case the page setting will apply
   2. Ignore requestValidationMode setting and create your own requestvalidator and change your web.config to use the custom validator


Creating your own custom request validation

Here’s the sample code to create your own custom request validation which allows all html tags except script tags

You will need to modify the web.config as well

XML/XHTML 代码
<httpRuntime requestValidationType=”Globals.CustomRequestValidation”/>


NOTE: There is no current way to find out whether the page has validateRequest=false. I’ve submitted a feedback to Microsoft, click here to view the status of the request

C# 代码

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Util;

namespace Globals
{
  /// <summary>
  /// Summary description for CustomRequestValidation
  /// </summary>
  public class CustomRequestValidation : RequestValidator
  {
    public CustomRequestValidation() { }
    protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
    {
      //block script tags
      var idx = value.ToLower().IndexOf("<script");
      if (idx > -1)
      {
        validationFailureIndex = idx;
        return false;
      }
      else
      {
        validationFailureIndex = 0;
        return true;
      }
    }
  }
}

原文:http://jefferytay.wordpress.com/2010/04/15/asp-net-4-breaking-changes-1-requestvalidationmode-cause-validaterequestfalse-to-fail/

web.config里面的最终配置

web.config 代码
<system.web>
  <pages validateRequest="false"/>
  <compilation debug="false" targetFramework="4.0" />
  <httpRuntime requestValidationMode="2.0" />
</system.web>

 

发表评论】 【打印文章】 【收藏本页
® 孟宪会 2011年 版权所有
Rss Rss 集成浏览器搜索