使用MVC副作用[HttpPost，ValidateInput（假）] [英] MVC Side effect of using [HttpPost, ValidateInput(false)]

问题描述

我有

@Html.TextAreaFor(x => x.Text)

我的控制器动作原本看上去类似于此：

My controller Action originally looked similar to this:

[HttpPost]
public ViewResult Index(MyViewModel vm)
{
    using (var db = new MyEntities())
    {
        Post p = new Post();
        p.Text = vm.Text;
        db.Posts.AddObject(p);
        db.SaveChanges();
    }
    return View();
}

这工作得很好。用户输入到了TextArea文本传递到控制器，并通过实体框架在SQL Server中保存到Post表。此字段的数据类型为varchar（1000）。 （也有使用MetadataType用[StringLength（1000）]确认文本字段模型验证。）

This worked fine. The text the user entered into the TextArea was passed into the controller and saved into the Post table in SQL Server via Entity Framework. The data type for this field is varchar(1000). (There is also Model validation on the Text field using MetadataType with [StringLength(1000)] validation.)

我发现，如果我试图复制一些HTML源代码并将其粘贴到了TextArea并提交，我收到以下错误：

I noticed that if I tried to copy some HTML source and paste it into the TextArea and submit it, I received the following error:

的从客户端检测到有潜在危险的Request.Form值的

该错误导致我<一个href=\"http://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client\">this问题，而夺去有，我可以简单地添加

The error led me to this question, and the take away from there was that I could simply add

[HttpPost, ValidateInput(false)]

我的行动来制止这种类型的验证。这种奇妙的工作，但我surpise，不管是什么我试图把到文本区域，我不能引起任何问题。如果我用引号字符千疮百孔的JavaScript，HTML或T-SQL语句贴，它仍然能正常工作。我看到我进了出现在SQL表中的文本区域的确切角色，如果我显示的文字回的看法，我看到在源中的每个字符转换为HTML对应，并在屏幕上显示看起来就像它没有当我进入它，我没有做任何形式的文字转化为实现这一目标。这似乎在默认情况下一切工作完全按照我想让它。当然，我很高兴这一点，但是当我读到有关禁用验证，随后往往是与你应该明白这样做的后果警告，我不认为我做的。所以我想，有什么后果？有什么人可以键入可能在我的文本区域，可以胡来作为禁止输入验证的结果？

to my Action to stop that type of validation. This worked wonderfully, but to my surpise, no matter what I tried putting into the TextArea, I couldn't cause any problems. If I paste in javascript, html or T-SQL statements riddled with quote characters, it still works fine. I see the exact characters I entered into the TextArea appearing in the SQL table, and if I display the text back to the View, I see in the source each character is converted to the HTML counterpart, and the display on the screen looks just like it did when I entered it in. I did not do any sort of text conversion to accomplish this. It seems by default everything is working exactly as I want it to. Of course I'm glad for this, but when I read about disabling the validation, it is often followed with a warning that you should understand the consequences of doing this, and I don't think I do. So I wonder, what are the consequences? Is there anything someone could possibly type into my TextArea that could mess things up as a result of disabling the input validation?

在情况下，它是相关的，我特别的设置是MVC4，.NET 4.0，实体框架4.4，SQL Server 2012的前preSS。

In case it's relevant, my particular setup is MVC4, .NET 4.0, Entity Framework 4.4, SQL Server 2012 Express.

推荐答案

如果您使用的是剃须刀的任何文本，你的输出会自动连接codeD PTED如JavaScript等。

If you are using razor any text that you output will automatically be encoded which will appear as text in the browser but not be interpreted as javascript etc.

如果你正在转向验证了你必须要非常小心，以确保您在编码所有用户输入等。无论您显示，这样你不要在不经意间你的页面由于somethign用户输入（看XSS上运行一些JavaScript代码一些例子）。

If you are turning validation off you have to be very careful to ensure that you are encoding all user input whereever you display it so that you dont inadvertently run some javascript on your page due to somethign a user entered (look at XSS for some examples).

您可以通过添加某种JavaScript警告的快速测试（虽然不是穷举搜索）（'你好'）在你的数据库调用各种VARCHAR字段，看看它，当您访问的页面被调用。

You can test quickly (althought not an exhaustive search) by adding some kind of javascript alert('hello') call to various varchar fields in your database and see if it gets called when you visit the page.

另外，即使你的arent显示用户数据可能具有的影响取决于你如何做你的数据访问。

Also even if you arent displaying the user data it may have implications depending on how you do your data access.

即使你使用类似您不是保护SQL注入，例如，如果你使用存储过程并没有做验证输入检查实体框架。请参阅本特洛伊亨特的文章

Even if you use something like entity framework you are not protected from sql injection for instance if you used stored procedures and did not do validation checking on the input. See Troy Hunt's article on this

这篇关于使用MVC副作用[HttpPost，ValidateInput（假）]的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！