A new ASP.NET version 1.1 feature, request validation, prevents the server from accepting content containing un-encoded HTML. This feature is designed to help prevent some script-injection attacks whereby client script code or HTML can be unknowingly submitted to a server, stored, and then presented to other users. We still strongly recommend that you validate all input data and HTML encode it when appropriate.
Request Validation 是ASP.NET 1.1的新特征,它可以禁止服务器接受含有未编码的HTML的内容。这个特征可以有效地保护服务器免受注入式脚本攻击。强烈建议验证所有的输入数据和HTML编码。
For example, you create a Web page that requests a user’s e-mail address and then stores that e-mail address in a database. If the user enters <SCRIPT>alert(“hello from script”)</SCRIPT> instead of a valid e-mail address, when that data is presented, this script can be executed if the content was not properly encoded. The new request validation feature of ASP.NET 1.1 prevents this from happening.
例如,你需要创建一个获取和存储用户email的网页。如果用于写入<SCRIPT>alert(“hello from script”)</SCRIPT>这样子的话,就会出问题。(啥问题我就不说了,hoho)
嗯,1.1直接就把这些过虑了,呵呵。出错信息就是potentially dangerous Request.Form value was detected...
<%@ Page validateRequest="false" %>
Caution: When request validation is disabled, content can be submitted to a page; it is the responsibility of the page developer to ensure that content is properly encoded or processed.
Disabling request validation for your application
To disable request validation for your application, you must modify or create a Web.config file for your application and set the validateRequest attribute of the <PAGES /> section to false:
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
这样可以关闭这个功能。
或者嘛,就是encoder好了
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。