是不是危险的,如果我设置ValidateRequest假? [英] Isn't dangerous if I set ValidateRequest to false?
问题描述
我用在我的asp.net项目的一些web表单FreeTextBox HTML编辑器。如果我不ValidateRequest属性设置为false我得到这个错误:
I'm using FreeTextBox HTML editor in some webforms in my asp.net project . if I do not set ValidateRequest property to false I get this error :
从客户端检测到有潜在危险的Request.Form值
A potentially dangerous Request.Form value was detected from the client
这是在管理文件夹OK虽然,因为只有授权用户才能访问与它合作。但如何对公共页面一样,每一个用户都可以访问发表评论(使用FreeTextBox收集用户评论)的部分?是不是有风险的XSS攻击?如果答案是不是有,那么什么是对ValidateRequest财产?
It's OK in admin folder though , Because only authorized users have access to work with it . But how about public pages like sections where every users have access to leave comments(using FreeTextBox for collecting users comment ) ? Isn't risky for XSS Attack ? If the answer is not Yes , So what's ValidateRequest property for ?
推荐答案
都能跟得上你是正确的,这是潜在的危险。其背后的想法是,.NET不希望限制什么可以用它的控制来完成,但同时消除了许多的安全漏洞的可能性。该ValidateRequest属性是有那么你可以告诉ASP.NET,嘿,不用担心这一点。我要验证它自己,因为我想到的东西,可能看起来危险的给你。
Nope you are correct this is potentially dangerous. The idea behind it is that .net doesn't want to restrict what can be done with it's controls, but at the same time remove many of the possibilities for a security hole. The ValidateRequest property is there so you can tell ASP.NET, "Hey don't worry about this. I'm going to validate it myself, because I expect something that may look dangerous to you."
它设置为验证默认的响应,因为没有验证潜在的XSS攻击是危险的,它是更好地得到您没有比有你的网站被黑客入侵实现验证错误。
It's set to validate responses by default, because not validating potential xss attacks is dangerous, and it's better to get a validation error that you didn't realize than have your site hacked.
这篇关于是不是危险的,如果我设置ValidateRequest假?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
