预编译所有站点仍然收到错误消息“从客户端检测到一个潜在危险的request.querystring值” [英] Precompile all site still gets the error message “a potentially dangerous request.querystring value was detected from the client”

问题描述

我搜索并阅读了很多帖子，谈论错误消息从客户端检测到一个潜在危险的request.querystring值。但是，我相信我的问题完全不同。



在我的web.config文件中，我已经在下面定义了两个键：

I did search and read so many posts talk about the error message "A potentially dangerous request.querystring value was detected from the client". But, I believe my problem is totally different.

In my web.config file, I already defined two keys below:

<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />

因此，如果我在不使用预编译的情况下发布我的项目（asp.net webform）选项，一切都会按照我的预期顺利运行。



但是，如果我使用预编译选项发布我的项目（预编译所有站点），上面的错误将始终发生在我提交表格。



提交表单非常简单，它包含一个输入文本控件和一个提交按钮。我的输入文字是

So, if I publish my project (asp.net webform) without using Precompile option, everything will work smoothly as my expected.

However, if I publish my project with Precompile option (precompile all site), the error above will always occur when I submit a form.

The submit form is so simple, it contains one input text control and one submit button. And my input text was

<script>alert(1)</script>

所以，我的问题是为什么预编译发​​布版本会出现这个问题？对我有什么建议吗？



我尝试了什么：



Put web.config下面的两个键无法解决问题。

So, my question is why this issue happens with precompile publish build? Any advice for me?

What I have tried:

Put two keys below in web.config does not solve the problem.

<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />

推荐答案

您传递的HTML包含脚本表单中的标记。这是有潜在危险的。目标不是通过设置一些选项来摆脱错误消息，而是避免传递这样的危险数据。



这可以通过编码数据来完成处理前提交和解码。常用的方法是使用 HttpServerUtility.HtmlEncode Method（String）（System。 Web） [ ^ ]。但另见 ScottGu的博客 - 新<％：％> ASP.NET 4（和ASP.NET MVC 2）中HTML编码输出的语法 [ ^ ]。

You are passing HTML containing a script tag from your form. Such is potentially dangerous. The goal is not to get rid of the error message by setting some options but to avoid that such dangerous data is passed.

This can be done by encoding the data upon submission and decoding before processing. The common method is to use the HttpServerUtility.HtmlEncode Method (String) (System.Web)[^]. But see also ScottGu's Blog - New <%: %> Syntax for HTML Encoding Output in ASP.NET 4 (and ASP.NET MVC 2)[^].

这篇关于预编译所有站点仍然收到错误消息“从客户端检测到一个潜在危险的request.querystring值”的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！