如何绕过单个字段的请求验证? [英] How can I bypass request validation for a single field?

问题描述

在这个XSS和其他黑客时代，我看到了对请求验证的需求.但这可能有点矫kill过正，就像割断孩子的腿以确保他不会在路上撞死一样.

I can see the need for request validation in this age of XSS and other hacks. But it can be a bit of overkill, it's like cutting off your child's legs to ensure he won't run onto the road and get killed.

我们收到的抱怨是，无法设置< password> 之类的密码.据我所知，解决此问题的唯一方法是在整个页面上设置 ValidateRequest ="false" (例如注册，登录，重置密码).并且在使用.NET 4.0时，还需要为整个应用程序设置< httpRuntime requestValidationMode ="2.0"/> .

We're getting complaints from that it isn't possible to set a password like <password>. The only way to fix this, as far as I can tell, is to set ValidateRequest="false" on a whole bunch of pages (such as registration, logon, reset password). And when using .NET 4.0, you also need to set <httpRuntime requestValidationMode="2.0" /> for the whole application.

这真的是唯一的方法吗?有没有办法指出不应仅对密码字段进行验证?

Is this really the only way? Is there no way to state that only the password field should not be validated?

推荐答案

在asp.net 4中，您可以创建自定义服务器端请求验证器，该验证器可能会接受此类非典型请求.写一个很容易，第一个用谷歌搜索的例子应该让你开始写自己的:

In asp.net 4 you can create your custom server side request validator which could possibly accept such atypical requests. Writing one is easy, the first googled example should let you start writing your own:

http://jefferytay.wordpress.com/2010/04/15/creating-your-own-custom-request-validation/

这篇关于如何绕过单个字段的请求验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！