3

我正在尝试检查我的 MVC 应用程序的安全性。当我尝试输入 html 或 javascript 时出现错误:潜在危险请求。

Server Error in '/' Application.
A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht...").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

这看起来不错,不可能注入 HTML 或 JavaScript。但我不喜欢的东西,用户会看到我的 ASP.net 版本和一切。

我怎样才能删除这个错误并只给出一条消息:我不喜欢你的输入或其他什么。

我试图这样做,但这不起作用:

[Authorize]
public ActionResult Create(int album_id)
{
    ViewBag.album_id = album_id;
    return View();
}

[Authorize]
[HttpPost]
public ActionResult Create(REVIEW model)
{
    string txt = null;
    try
    {
        txt = model.TEKST;
    }
    catch (System.Web.HttpRequestValidationException)
    {
        txt = "errorrr";
    }


    return RedirectToAction("Add", new { tekst = txt, album_id=model.ALBUM_ID});
}

解决方案:见 Nudier 的回答

4

1 回答 1

4

您可以通过以下方式处理应用程序中的错误

1.在应用程序的 Web.Config 文件中设置 CustomErros 模式部分

这是 mode 属性可以接受的选项列表。

RemoteOnly:为远程用户显示一般错误页面。针对本地请求(从当前计算机发出的请求)显示丰富的错误页面。这是默认设置。

关闭:无论请求的来源如何,都会为所有用户显示丰富的错误页面。此设置在许多开发方案中很有帮助,但不应在已部署的应用程序中使用。

On:无论请求的来源如何,都会为所有用户显示一般错误页面。这是最安全的选择。

     <System.Web>
      //map all the erros presented in the application to the error.aspx webpage
     <customErrors mode="RemoteOnly" defaultRedirect ="~/error.aspx" />
    <System.Web>

2.通过Application_Error函数中的Global.asax文件

     //handle all the errors presented in the application
      void Application_Error(object sender, EventArgs e){  
     Server.Tranfer("error.aspx");
    }

我希望这对你有用。

于 2012-06-17T16:35:46.740 回答