从客户端检测到潜在危险的 Request.Form 值 [英] A potentially dangerous Request.Form value was detected from the client

问题描述

我有这个问题.我已经尝试了一切.ValidateRequest="false".. 和解码和编码 html.. 等等..

我需要的是一个弹出框(所以我使用 ModalPopupExtender)来呈现给用户，人们可以在其中输入 xml 设置，然后单击确定/取消按钮关闭弹出窗口并保存.

但是我不断收到此错误从客户端检测到潜在危险的 Request.Form 值"..

下面是我的测试代码(我的场景和错误的快速示例)..

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication1.WebForm1"ValidateRequest="false" %><%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" %><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head runat="服务器"><title></title><身体><form id="form1" runat="server"><asp:ScriptManager ID="ScriptManager1" runat="server"></asp:ScriptManager><div><asp:Panel ID="Popup" runat="server" Width="800px" Style="display: none;"><asp:LinkBut​​ton ID="Display" runat="server" Style="display: none;"OnClick="Display_Click"/><cc1:ModalPopupExtender ID="ModalPopupExtender" runat="server" TargetControlID="Display"PopupControlID="Popup" DropShadow="false" Y="10"/><div id="项目"><div class="项目"><表格宽度="100%"><tr><td><textarea id="txtAreaValue" cols="35" rows="6" style="resize: none;"runat="服务器"/></td></tr><tr><td><asp:Button ID="btnOk" Text="Ok" SkinID="default" Width="50px" runat="server"/><asp:Button ID="btnCancel" Text="Cancel" SkinID="default" Width="50px" OnClick="BtnCancel_Click"runat="服务器"/></td></tr>

</asp:面板>

</表单>

背后的代码:

使用系统；使用 System.Collections.Generic;使用 System.Linq；使用 System.Web；使用 System.Web.UI；使用 System.Web.UI.WebControls;命名空间 WebApplication1{公共部分类 WebForm1 : System.Web.UI.Page{protected void Page_Load(object sender, EventArgs e){ModalPopupExtender.Show();string str = "<?xml version=\"1.0\" encoding=\"utf-8\"?><XmlConfig xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-实例\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"> <XmlConfig Type=\"TEST\"DefiningXpath=\"/PERSON/NAME\"><索引名称=\"名称\" XPath=\"/PERSON/NAME/VALUE\" Type=\"String\"/><索引名称=\"Id\" XPath=\"/PERSON/NAME/ID\" Type=\"String\"/> </XmlConfig></XmlConfig>";txtAreaValue.InnerText = str;}protected void Display_Click(object sender, EventArgs e){//显示项目详细信息编辑框ModalPopupExtender.Show();}protected void BtnCancel_Click(object sender, EventArgs e){ModalPopupExtender.Hide();}}}

要运行代码.. 将 ref 添加到 AjaxControltoolkit.dll 然后运行，您将看到 textarea 填充了 xml.单击取消按钮，这会导致错误.请问有人可以帮我吗?

解决方案

使用

在您的 web.config 中(保留您在该元素上已有的任何属性，如果它已经存在).否则 ASP.NET4.0 会忽略 ValidateRequest.

当然，请确保您采取必要措施来防止真正危险的请求，因为这不是为您完成的.

这样做的一个好方法是创建您自己的从 RequestValidator 派生的类，并使用 4.0 行为，但将其作为进行检查的类.

I have this issue. I have tried everything. ValidateRequest="false".. and decoding and encoding html.. etc. etc..

What I need is a popup box (so im using ModalPopupExtender) to present to a user where people can type in xml settings and click ok/cancel button to close the popup and save.

However i keep on getting this error "A potentially dangerous Request.Form value was detected from the client"..

Here is my test code below (quick example of my scenario and error)..

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm1.aspx.cs" Inherits="WebApplication1.WebForm1"
    ValidateRequest="false" %>

<%@ Register Assembly="AjaxControlToolkit" Namespace="AjaxControlToolkit" TagPrefix="cc1" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <asp:ScriptManager ID="ScriptManager1" runat="server">
    </asp:ScriptManager>
    <div>
        <asp:Panel ID="Popup" runat="server" Width="800px" Style="display: none;">
            <asp:LinkButton ID="Display" runat="server" Style="display: none;" OnClick="Display_Click" />
            <cc1:ModalPopupExtender ID="ModalPopupExtender" runat="server" TargetControlID="Display"
                PopupControlID="Popup" DropShadow="false" Y="10" />
            <div id="Item">
                <div class="Item">
                    <table width="100%">
                        <tr>                                
                            <td>
                                <textarea id="txtAreaValue" cols="35" rows="6" style="resize: none;" runat="server" />
                            </td>
                        </tr>
                        <tr>                                
                            <td>
                                <asp:Button ID="btnOk" Text="Ok" SkinID="default" Width="50px" runat="server" />
                                <asp:Button ID="btnCancel" Text="Cancel" SkinID="default" Width="50px" OnClick="BtnCancel_Click"
                                    runat="server" />
                            </td>
                        </tr>
                    </table>
                </div>
            </div>
        </asp:Panel>
    </div>
    </form>
</body>
</html>

Code Behind:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace WebApplication1
{
    public partial class WebForm1 : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            ModalPopupExtender.Show();
            string str = "<?xml version=\"1.0\" encoding=\"utf-8\"?><XmlConfig xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"> <XmlConfig Type=\"TEST\" DefiningXpath=\"/PERSON/NAME\"><Index Name=\"Name\" XPath=\"/PERSON/NAME/VALUE\" Type=\"String\" /><Index Name=\"Id\" XPath=\"/PERSON/NAME/ID\" Type=\"String\" /> </XmlConfig></XmlConfig>";

            txtAreaValue.InnerText = str;
        }

        protected void Display_Click(object sender, EventArgs e)
        {
            //Shows the Item detail Edit box
            ModalPopupExtender.Show();
        }

        protected void BtnCancel_Click(object sender, EventArgs e)
        {
            ModalPopupExtender.Hide();
        }
    }
}

To run the code.. Add ref to AjaxControltoolkit.dll and then run and you will see the textarea being populated with xml. Click on the cancel button and this causes the error. Please can anyone help me?

解决方案

Use

<httpRuntime requestValidationMode="2.0" />

in your web.config (keeping any attributes you already have on that element, if it's already there). ASP.NET4.0 ignores ValidateRequest otherwise.

And, of course, do make sure that you take necessary measures to protect against genuinely dangerous requests, now that it's not being done for you.

Edit: A great way of doing this is to create your own class derived from RequestValidator, and using the 4.0 behaviour, but with that as the class that does the checking.

这篇关于从客户端检测到潜在危险的 Request.Form 值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！