它是一个安全风险设置EnableEventValidation =＆QUOT;假＆QUOT;在这个情况下？ [英] Is it a security risk setting EnableEventValidation="false" in this situation?

问题描述

我有一个包含用户控件的页面，当用户点击图像按钮带他们去显示他们点击一个错误的表行项目的详细另一页出现：

I have a page that contains a user control, when the user clicks an image button to take them to another page that displays details of the table row item they clicked an error occurs:

System.ArgumentException: Invalid postback or callback argument

我可以发生，如果我设置EnableEventValidation =false的制止这种错误。这是一个安全隐患？如果是这样，为什么？

I can stop this error from occurring if I set EnableEventValidation="false". Is this a security risk? If so, why?

推荐答案

此功能可降低未授权或恶意的回发请求和回调的风险。强烈建议您不要禁用事件验证。

当EnableEventValidation属性设置为true，ASP.NET验证了控制事件起源于一个由该控件呈现的用户界面[...]

When the EnableEventValidation property is set to true, ASP.NET validates that a control event originated from the user interface that was rendered by that control [...]

看<一个href=\"http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation.aspx\">http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation.aspx

如果你继续执行单一目的的目标页面我要说，确保目标页面没有实现任何潜在的安全漏洞，你可以禁用EventValidation此页。没有在web.config整个网站！

I'd say if you keep the target page performing a single purpose - namely displaying detailed data - and make sure that the target page does not implement any potential security holes you can disable the EventValidation for THIS page. not in the web.config for the whole site!

但是我认为这是更好地探讨为什么要得到这个错误！也许这是一个简单的解决方案，为您使用Queryparameters，形不成参数来指定要显示的数据重定向...

But I think it's better to investigate why you are getting this error! Maybe it's a simple solution for you to redirect using Queryparameters, not form parameters to specify the data you want to display...

这篇关于它是一个安全风险设置EnableEventValidation =＆QUOT;假＆QUOT;在这个情况下？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！