3
我想检查我的MVC应用程序的安全性。当我尝试输入HTML或JavaScript时,会出现一个错误:潜在的危险请求。潜在的危险请求,隐藏错误
Server Error in '/' Application.
A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht...").
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
这看起来不错,不可能注入HTML或JavaScript。但是我不喜欢的东西,用户会看到我的版本的ASP.net和一切。
如何删除此错误并仅给出以下消息:我不喜欢您的输入或其他内容。
我试图做到这一点,但是这是行不通的:
[Authorize]
public ActionResult Create(int album_id)
{
ViewBag.album_id = album_id;
return View();
}
[Authorize]
[HttpPost]
public ActionResult Create(REVIEW model)
{
string txt = null;
try
{
txt = model.TEKST;
}
catch (System.Web.HttpRequestValidationException)
{
txt = "errorrr";
}
return RedirectToAction("Add", new { tekst = txt, album_id=model.ALBUM_ID});
}
SOLUTION: 见Nudier的回答
我推荐第一种方法。可以通过修改web.config临时禁用通过第一种方法重定向。第二件事情并不容易。 –
我试过了第一种方法,但它仍然在做相同的处理...... – user1408786
这也在我的配置文件中:
user1408786