可以在页面的ValidateRequest设置被重写? [英] Can a page's ValidateRequest setting be overridden?
问题描述
我有一个ASP.NET MVC的形式,可能会(通常不会)提交,将触发检测到潜在危险的Request.Form值形式的客户端的错误响应。
I have an ASP.NET MVC form that may (usually does) submit a response that would trigger the "A potentially dangerous Request.Form value was detected form the client" error.
要试图解决这个问题,我已经在页面指令放在ValidateRequest =假。
To try to get around this, I have placed a ValidateRequest="false" in the page directive.
唯一的问题:我仍然得到错误
Only problem: I'm still getting the error!
现在,一切都很好,直到我今天早上更新到ASP.NET MVC RC,和(根据自述),放置在web.config中意见如下:
Now, all was good until I updated to the ASP.NET MVC RC this morning, and (according to the readme), placed the following in the Views web.config:
<pages validateRequest="false"
pageParserFilterType="System.Web.Mvc.ViewTypeParserFilter, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
pageBaseType="System.Web.Mvc.ViewPage, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
userControlBaseType="System.Web.Mvc.ViewUserControl, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
<controls>
<add assembly="System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="System.Web.Mvc" tagPrefix="mvc" />
</controls>
</pages>
所以,validateRequest应该是假的所有页面,对不对?我缺少什么?
So, validateRequest should be false for all pages, right? What am I missing?
推荐答案
在MVC中,验证发生在控制器级别,而不是在页面级别。要了解这是为什么,认为在控制器操作正在执行的时候,我们不知道会选择什么观点来呈现。 (事实上,控制器动作可能甚至无法在所有的景色!它可能打开客户端上的文件下载提示来代替。)此外,如果用户提交恶意输入到服务器,由视图显示它的时候来不及做任何事情。该控制器将已经犯了危险输入到数据库中。
In MVC, validation takes place at the controller level, not at the page level. To see why this is, consider that at the time the controller action is executing, we don't know what view will be chosen to render. (In fact, the controller action might not even render a view at all! It might open a file download prompt on the client instead.) Additionally, if a user is submitting malicious input to the server, by the time the view is rendered it's too late to do anything about it. The controller already will have committed the dangerous input to the database.
相反,请装饰控制器或行动属性[ValidateInput(假)。这将导致我们燮该控制器或动作preSS请求验证。
Instead, please decorate the controller or action with the attribute [ValidateInput(false)]. This will cause us to suppress request validation for that controller or action.
这篇关于可以在页面的ValidateRequest设置被重写?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
