惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

W
WeLiveSecurity
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Security @ Cisco Blogs
T
Threat Research - Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
腾讯CDC
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Blog of Author Tim Ferriss
Microsoft Azure Blog
Microsoft Azure Blog
罗磊的独立博客
F
Full Disclosure
博客园 - 【当耐特】
C
CERT Recently Published Vulnerability Notes
Engineering at Meta
Engineering at Meta
Application and Cybersecurity Blog
Application and Cybersecurity Blog
T
Threatpost
I
Intezer
V2EX - 技术
V2EX - 技术
H
Hackread – Cybersecurity News, Data Breaches, AI and More
The Hacker News
The Hacker News
小众软件
小众软件
Google DeepMind News
Google DeepMind News
T
Tailwind CSS Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
B
Blog RSS Feed
Microsoft Security Blog
Microsoft Security Blog
N
News | PayPal Newsroom
MyScale Blog
MyScale Blog
AI
AI
Vercel News
Vercel News
Spread Privacy
Spread Privacy
美团技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
The GitHub Blog
The GitHub Blog
V
Vulnerabilities – Threatpost
Schneier on Security
Schneier on Security
Cyberwarzone
Cyberwarzone
G
GRAHAM CLULEY
Help Net Security
Help Net Security
Hacker News: Ask HN
Hacker News: Ask HN
Google DeepMind News
Google DeepMind News
MongoDB | Blog
MongoDB | Blog
L
LINUX DO - 热门话题
U
Unit 42
L
LangChain Blog
Recent Announcements
Recent Announcements

博客园 - 谢T

数据绑定 DataTable - 谢T - 博客园 清除SQL注入的语句 分页存储过程3 生活规则 分页存储过程-02 (CodeMatic) 分页存储过程-01(转) html 导出 word (转) - 谢T ado.net 数据阅读器 - 谢T - 博客园 双截棍(程序员版) ado.net 续1 交流学习 yo2 Blog(WordPress) 申请码大放送 初识 ado.net 页面传值 ASP.NET 2.0技术内幕 20080606 第一部分 .net与面向对象 第一章 OO大智慧 开始
转载:老问题再次发生 “从客户端(userName="<hr />")中检测到有潜在危险的 Request.Form 值” 解决方案
谢T · 2011-10-10 · via 博客园 - 谢T

A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$txtCode="<code></code>").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set requestValidationMode="2.0" in the configuration section. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$txtCode="<code></code>").


Version Information: Microsoft .NET Framework Version:4.0.21006; ASP.NET Version:4.0.21006.1

在安装了Visual Studio 2010 Beta2之后,当页面输入框默认情况下输入“<”或者“>”的时候。按照访问策略,这将导致一些安全问题,诸如:跨站脚本攻击(cross-site scripting attack)。而这个问题的更准确描述则是,当你在安装了.NET Framework 4.0以上版本后,当你的应用程序以.NET Framework 4.0为框架版本,你的任意服务器请求,都将被进行服务器请求验证(ValidationRequest),这不仅包括ASP.NET,同时也包括Web Services等各种HTTP请求,不仅仅针对aspx页面,也针对HTTP Handler,HTTP Module等,因为这个验证(Valify)的过程,将会发生在BeginRequest事件之前。

基于以上原理,在ASP.NET之前的版本中,请求验证也是默认开通的,但是发生在页面级(aspx)的,并且只在请求执行的时候生效,因此,在旧的版本中,我们只需要按以下方式配置即可:

在页面级别(aspx中)设置
ValidateRequest="false"
或者
在全局级别(Web.config中)设置
<configuration>
    <system.web>
        <pages  validateRequest="false">

但是,以上设置仅对ASP.NET4.0以上有效。在ASP.NET4.0版本上,我们需要更多一行的配置:

在全局级别(Web.config中)设置
<configuration>
    <system.web>
        <httpRuntime  requestValidationMode="2.0">

这一点其实在发生错误的页面中已经有说明了。在实际使用过程中,不仅如此,而且我发现requestValidationMode只要设置成小于4.0就可以,比如:1.0,2.0,3.0,3.9都是可以的,错误提示中指明用2.0,目的只是说明用ASP.NET 2.0的默认方式进行工作。