潜在的危险请求，隐藏错误

Question

我想检查我的MVC应用程序的安全性。当我尝试输入HTML或JavaScript时，会出现一个错误：潜在的危险请求。

Server Error in '/' Application. 
A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht..."). 
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133. 

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht..."). 

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. 

这看起来不错，不可能注入H​​TML或JavaScript。但是我不喜欢的东西，用户会看到我的版本的ASP.net和一切。

如何删除此错误并仅给出以下消息：我不喜欢您的输入或其他内容。

我试图做到这一点，但是这是行不通的：

[Authorize] 
public ActionResult Create(int album_id) 
{ 
    ViewBag.album_id = album_id; 
    return View(); 
} 

[Authorize] 
[HttpPost] 
public ActionResult Create(REVIEW model) 
{ 
    string txt = null; 
    try 
    { 
     txt = model.TEKST; 
    } 
    catch (System.Web.HttpRequestValidationException) 
    { 
     txt = "errorrr"; 
    } 


    return RedirectToAction("Add", new { tekst = txt, album_id=model.ALBUM_ID}); 
} 

SOLUTION： 见Nudier的回答

Answer 1

您可以通过以下方式

1处理您的应用程序中的错误。在您的应用程序的Web.Config文件中设置CustomErros模式部分

这是模式属性可以接受的选项列表。

RemoteOnly：显示远程用户的一般错误页面。针对 本地请求（来自当前计算机的请求）显示丰富的错误页面。这是 的默认设置。

Off：无论请求的来源如何，所有用户都会显示丰富的错误页面。 此设置在许多开发场景中很有用，但不应在 已部署的应用程序中使用。

查看：显示所有用户的一般错误页面，无论 请求的来源如何。这是最安全的选择。

 <System.Web> 
     //map all the erros presented in the application to the error.aspx webpage 
    <customErrors mode="RemoteOnly" defaultRedirect ="~/error.aspx" /> 
    <System.Web> 

2. throught Global.asax文件中的Application_Error功能

 //handle all the errors presented in the application 
     void Application_Error(object sender, EventArgs e){ 
    Server.Tranfer("error.aspx"); 
    } 

我希望这对你的作品。