1. 首页
  2. 问答
  3. .NET 2/VB:RequestValidation =假替代

.NET 2/VB:RequestValidation =假替代

2012-08-14 43 views
0

我遇到了一个Web应用程序,经常只是一个单一的aspx页面喷涌而出,下面的样式错误的问题:.NET 2/VB:RequestValidation =假替代

Browser: IE 
Url Referrer: redacted 
User Host 1.1.1.1 
User Host Name: 1.1.1.1 
Last Error: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl11$lbl="...na Redacte w..."). at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.pages_front_closingques_default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) 
Stack Trace: at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.pages_front_closingques_default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) 
Source: System.Web 
Message: A potentially dangerous Request.Form value was detected from the client (ctl11$lbl="...na Redacte w...").

通常情况下,我会怀疑用户必须做一些愚蠢的事情,比如将HTML标签放在那里,但这种情况经常发生,并且电子邮件中没有HTML报告。

我知道,我可以用RequestValidation="false"Page指令关闭关闭ValidateRequest,但是这也是不可取的,因为我想一些验证,只要不是过度敏感验证。

有什么方法可以覆盖ValidateRequest的默认实现吗?有没有人遇到错误地产生错误ValidateRequest?最后,有人知道ValidateRequest甚至看起来像什么吗?

来源

2012-08-14 tacos_tacos_tacos

+0

为什么在这个问题的标题中包含“经典”这个词? – AnthonyWJones 2012-08-14 20:58:06

+0

@AnthonyWJones,我大多是新的微软堆栈,从我的理解是“经典”ASP与ASP.NET和“经典”VB与VB.net之间的区别... – 2012-08-14 21:00:24

+0

但我同意标题是可怕的。 ..建议? – 2012-08-14 21:00:52

回答

1

既然你说误报只来自一个页面,我会保持启用网站级web.config设置,并禁用页面级的验证。

然后你需要在页面上用户输入的责任:

  • 信息在所有的领域,比如你自己的(服务器端)的验证正则表达式等。
  • 在写出之前清理已知为用户发起输入的任何数据,例如,与WPL

来源

2012-08-14 21:15:17 StuartLC

+0

_request_ validator(即GET或POST问题)和_input_ validator(在请求发生之前表面发生的事情)之间没有区别, – 2012-08-14 21:16:33

相关问题

 相关问题