0

我遇到了一个 Web 应用程序的问题,该应用程序经常仅使用一个 aspx 页面就出现以下样式错误:

Browser: IE
Url Referrer: redacted
User Host 1.1.1.1
User Host Name: 1.1.1.1
Last Error: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl11$lbl="...na Redacte w..."). at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.pages_front_closingques_default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Stack Trace: at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.pages_front_closingques_default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Source: System.Web
Message: A potentially dangerous Request.Form value was detected from the client (ctl11$lbl="...na Redacte w...").

通常,我怀疑用户一定做了一些愚蠢的事情,比如在其中放置了一个 HTML 标签,但是这种情况经常发生,并且电子邮件中没有报告任何 HTML 标签。

我知道我可以使用该指令关闭 ,但这也是不可取的,因为我想要一些验证,而不是过度敏感的验证。ValidateRequestRequestValidation="false" Page

有什么方法可以覆盖的默认实现ValidateRequest?有没有人遇到ValidateRequest过错误地产生错误?最后,有人知道ValidateRequesteven 的实现是什么样的吗?

4

1 回答 1

1

由于您说误报仅来自一个页面,因此我将启用站点级别的 web.config 设置,并仅禁用此页面的页面级别验证。

然后你需要对页面上的用户输入负责:

  • 对所有字段进行自己的(服务器端)验证,例如正则表达式等。
  • 在写出之前对任何已知是用户输入的数据进行清理,例如使用WPL
于 2012-08-14T21:15:17.403 回答