为什么会出现禁止输入验证的必要性? [英] Why is there the need to disable input validation?
问题描述
为什么ASP.NET中的IIS管道要求你退出输入验证?据我所知,所有其他主要的Web开发框架,你可以张贴任何你在表单喜欢。当按照默认的方式呈现模板,这些值会自动连接HTML coded到prevent安全漏洞。
Why does the IIS pipeline in ASP.NET require you to opt-out of input validation? As far as I know, with all other major web development frameworks, you can post whatever you like in a form. When rendering templates in the default manner, those values will be automatically HTML encoded to prevent security vulnerabilities.
ASP.NET有相同的特性。如果我是在一个特定的控制器动作禁止输入验证,然后渲染默认值(不使用 Html.Raw )的结果,它会自动连接HTML codeD。以同样的方式与其他Web框架,我可以使用 Html.Raw 退出模板自动HTML编码。但是,如果我在包含尖括号表单提交的值,的没有的禁止输入验证的话,我收到 A可能是从客户端检测到的危险值错误。
ASP.NET has the same features. If I were to disable input validation on a specific controller action, and then render the result with the defaults (not using Html.Raw), it will automatically be HTML encoded. In the same way as other web frameworks, I can opt out of the automatic HTML encoding in the template by using Html.Raw. However, if I submit a value in a form that contains angle brackets, without disabling input validation, then I receive the A potentially dangerous value was detected from the client error.
既然有机会,任意形式将允许用户使用之类的东西尖括号,那么为什么在默认情况下的安全保护功能?现在看来似乎并没有什么帮助,并在方式迫使开发商手动禁用它只是得到。
Since the chances are that any arbitrary form will allow the user to use things like angle brackets, then why is this security feature on by default? It seems like it doesn't help anything, and just gets in the way by forcing the developer to disable it manually.
我误解有所了解,或者是禁止输入验证对于大多数(如果不是全部)的形式在ASP.NET的世界?
Am I misunderstanding something about this, or is disabling input validation for the majority (if not all) of forms very common in the ASP.NET world?
推荐答案
请求验证最初创造了许多年前,当反射XSS是在网络上横行。当时,ASP.NET团队认为,可以通过拒绝那名可能包含反射XSS标记请求提供针对这种攻击一个良好的收件箱的保护机制。
Request validation was originally created many years ago when reflective XSS was rampant on the web. At the time the ASP.NET team believed that it could offer a good in-box protection mechanism against this attack by rejecting requests that were likely to contain reflective XSS markup.
事后诸葛亮,而现在回想起来,这是一个可怕的想法,因为它暂时平息开发商陷入安全的错觉。请求验证是非常漏水;它关闭这些下来的不好。正如你已经指出,在适当的输出编码这些值(如我们后来做的框架)是pferred来拒绝输入多$ P $。
Hindsight is 20/20, and in retrospect this was a terrible idea because it lulls developers into a false sense of security. Request validation is very leaky; it does a poor job of shutting these down. And as you've already stated, encoding these values appropriately on the output (as our later frameworks do) is much preferred to rejecting input.
ASP.NET小组已经正式否认请求验证作为一种保护机制,我们没有做任何给它更多的变化,即使有人能够打破它批发。但是,我们必须把它留在默认情况下,由于这对好或坏依靠它的应用程序数量。我们正在考虑的方式,使禁用它在即将到来的更新更加容易。
The ASP.NET team has officially disowned request validation as a protection mechanism, and we're not making any more changes to it, even if somebody is able to break it wholesale. But we must leave it on by default due to the number of applications which for better or for worse rely on it. We're considering ways to make disabling it far easier in an upcoming update.
来源:<一个href=\"http://www.asp.net/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet,-and-what-to-do-instead#validation\" rel=\"nofollow\">http://www.asp.net/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet,-and-what-to-do-instead#validation
这篇关于为什么会出现禁止输入验证的必要性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
