Access911.net   |   a9BBS   |   OTaA System  
  搜索文章:  
Access911欢迎您光临  
   主页      上传      繁體版       论坛     
设为首页  |  加入收藏   
  
你现在的位置:文章索引 -> 文章分类 -> ASP/ASP.NET  
 首页|  近日更新|  下载  |  文章索引  |  搜索|  术语|  承接工程|  
 
系统正在加载内容,请耐心等待...
 
 查询
 窗体
 报表
 
 
 VBA
 函数
 ADO/DAO/ADO.NET
 API
 ADP
 安全
 发布
 OA
 ASP/ASP.NET
 其他语言
 控件
 DELPHI
 C#/.Net
 本站
 其他
 小例程
 常用软件
 参考文档
 业主作品
 网友大作
 
 
友情链接
 access911.net
 
访问人次
 1702280
 
站长 E-Mail
 net911@sina.com
 access911@gmail.com
 
RSS 订阅

显示附加信息 >>>

新手来看:关于如何禁用请求验证的方法

作者:cg1  摘自:access911.net  :cg1  更新日期:2004-3-29  浏览人次:

 

问题:

关于:
通过在 Page 指令或 配置节中设置 validateRequest=false 可以禁用请求验证,请问
PAGE指令在哪里?配置节又在哪里?

我在文本框内输入了"<input type=text>"出现了上述提示


“/WebApplication1”应用程序中的服务器错误。
--------------------------------------------------------------------------------

从客户端(TextBox1="<INPUT TYPE=TEXT>")中检测到有潜在危险的 Request.Form 值。 
说明: 请求验证过程检测到有潜在危险的客户端输入值,对请求的处理已经中止。该值可能指示危及应用程序安全的尝试,如跨站点的脚本攻击。通过在 Page 指令或 配置节中设置 validateRequest=false 可以禁用请求验证。但是,在这种情况下,强烈建议应用程序显式检查所有输入。 

异常详细信息: System.Web.HttpRequestValidationException: 从客户端(TextBox1="<INPUT TYPE=TEXT>")中检测到有潜在危险的 Request.Form 值。

源错误: 

执行当前 Web 请求期间生成了未处理的异常。可以使用下面的异常堆栈跟踪信息确定有关异常原因和发生位置的信息。  

堆栈跟踪: 


[HttpRequestValidationException (0x80004005): 从客户端(TextBox1="<INPUT TYPE=TEXT>")中检测到有潜在危险的 Request.Form 值。]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   System.Web.HttpRequest.get_Form() +113
   System.Web.UI.Page.GetCollectionBasedOnMethod()
   System.Web.UI.Page.DeterminePostBackMode()
   System.Web.UI.Page.ProcessRequestMain()
   System.Web.UI.Page.ProcessRequest()
   System.Web.UI.Page.ProcessRequest(HttpContext context)
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 


--------------------------------------------------------------------------------
版本信息: Microsoft .NET Framework 版本:1.1.4322.573; ASP.NET 版本:1.1.4322.573 

 

回答:

直接转到 WebForm1.aspx 的 HTML 界面,里面第一行是黄色的,在 <% %> 里面加入validateRequest=false

微软的相关文章参考如下:


参考地址:http://support.microsoft.com/default.aspx?scid=kb;en-us;821343&Product=aspnet

PRB: You Receive an Error Message When You Deploy an ASP.NET 1.0 Application on a Server with ASP.NET 1.1

适用于

SYMPTOMS

When you deploy a Microsoft ASP.NET 1.0 Web application on a server with the Microsoft .NET Framework version 1.1 installed, you receive the following error message if unencoded input is submitted :
A potentially dangerous Request.Form value was detected from the client

CAUSE

When the .NET Framework 1.1 is installed on a computer, the default value of the validateRequest attribute is true. When the value of validateRequest is set to true, request validation is performed and an exception is thrown if the input has potentially dangerous values.

The new request validation feature in ASP.NET 1.1 proactively prevents attacks from dangerous values. It does not allow the server to process unencoded HTML content unless you decide to allow the content. The request validation feature is designed to help prevent some script-injection attacks where client script code or HTML can be unknowingly submitted to a server, can be stored, and then can be presented to other users.

RESOLUTION

The request validation feature of ASP.NET 1.1 prevents the server from accepting content that contains unencoded HTML. You can disable request validation by setting the validateRequest attribute to false in the @ Page directive or in the configuration section.

Disable Request Validation on a Page

To disable request validation on a page, you must set the validateRequest attribute of the @ Page directive to false:
<%@ Page validateRequest="false"  %>
Note When request validation is disabled, content is submitted to a page. The page developer must make sure that the content is correctly encoded or is correctly processed.

Disable Request Validation for Your Application

To disable request validation for your application, you must modify or create a Web.config file for your application and then set the validateRequest attribute of the <PAGES /> section to false:
 <configuration> 
  <system.web> 
    <pages validateRequest="false" /> 
  </system.web> 
</configuration> 
If you want to disable request validation for all applications on your server, you can make this change to your Machine.config file.

Note When request validation is disabled, content is submitted to your application. The application developer must make sure that the content is correctly encoded or is correctly processed.

HTML Encode the Content

When request validation is disabled, you must HTML encode the content to prevent possible attacks by unencoded HTML content.

If you have disabled request validation, it is good practice to HTML encode content that will be stored for future use. HTML encoding automatically replaces any "<" or ">" characters (and several other symbols) with their corresponding HTML encoded representation.

You can easily HTML encode content on the server by using the Server.HtmlEncode(String) method. You can also easily HTML decode content. HTML decoding reverts HTML-encoded content back to standard HTML. To do this, use the Server.HtmlDecode(String) method.

Use the following code:

Microsoft Visual Basic. NET Code

<%@ Page Language="vb" validateRequet="false" %>
<HTML>
   <HEAD>
      <title>WebForm2</title>
      <script runat="server">      
      Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)   
         ' Set the label to the HTMLEnoded value of  TextBox.
         Label1.Text = Server.HtmlEncode(TextBox1.Text)
      End Sub
      </script>
   </HEAD>
   <body>
      <form id="Form1" method="post" runat="server">
         <asp:Button id="Button1" OnClick="Button1_Click" 
               style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
         </asp:Button>
         <asp:Label id="Label1" 
               style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
         </asp:Label>
         <asp:TextBox id="TextBox1"
               style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
         </asp:TextBox>
      </form>
   </body>
</HTML>

Microsoft Visual C# .NET Code

<%@ Page Language="c#" validateRequet="false" %>
<HTML>
   <HEAD>
      <title>WebForm2</title>
      <script runat="server">      
      private void Button1_Click(object sender, System.EventArgs e)
      { 
        // Set the label to the HTMLEnoded value of  TextBox.  
         Label1.Text = Server.HtmlEncode(TextBox1.Text);
      }
      </script>
   </HEAD>
   <body>
      <form id="Form1" method="post" runat="server">
         <asp:Button id="Button1" OnClick="Button1_Click"
               style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
         </asp:Button>
         <asp:Label id="Label1" 
               style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
         </asp:Label>
         <asp:TextBox id="TextBox1" 
               style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
         </asp:TextBox>
      </form>
   </body>
</HTML>

STATUS

This behavior is by design.

MORE INFORMATION

Steps to Reproduce the Behavior

  1. Start Microsoft Visual Studio .NET.
  2. Create a new ASP.NET 1.0 Web application by using Visual C# .NET or Visual Basic .NET. By default, WebForm1.aspx is created.
  3. Add a Button control , aTextBox control, and a Label control to WebForm1.aspx.
  4. Right-click WebForm1.aspx, and then click View HTML Source.
  5. Replace the existing code with the following code:

    Visual Basic .NET Code
    <%@ Page Language="vb" %>
    <HTML>
       <HEAD>
          <title>WebForm2</title>
          <script runat="server">      
          Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)    
             Label1.Text = TextBox1.Text
          End Sub
          </script>
       </HEAD>
       <body>
          <form id="Form1" method="post" runat="server">
             <asp:Button id="Button1" OnClick="Button1_Click" 
                    style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
             </asp:Button>
             <asp:Label id="Label1" 
                    style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
             </asp:Label>
             <asp:TextBox id="TextBox1" 
                    style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
             </asp:TextBox>
          </form>
       </body>
    </HTML>
    
    Visual C# .NET Code
    <%@ Page Language="c#" %>
    <HTML>
       <HEAD>
          <title>WebForm2</title>
          <script runat="server">      
          private void Button1_Click(object sender, System.EventArgs e)
          {  
             Label1.Text = TextBox1.Text;
          }
          </script>
       </HEAD>
       <body>
          <form id="Form1" method="post" runat="server">
             <asp:Button id="Button1" OnClick="Button1_Click" 
                    style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
             </asp:Button>
             <asp:Label id="Label1" 
                    style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
             </asp:Label>
             <asp:TextBox id="TextBox1" 
                    style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
             </asp:TextBox>
          </form>
       </body>
    </HTML>
    
  6. On the Debug menu, click Start to run the application.
  7. Type the following text in the text box:

    <script>alert("cross-site script test!")</script>

  8. Click Button, and notice that the script is permitted to be posted back without encoded HTML. The message box appears.
  9. Deploy the same code on a server with the .NET Framework version 1.1 installed. You receive the error message that is mentioned in the "Symptoms" section of this article.

REFERENCES

For more information, visit the following Microsoft Web sites:

Request Validation - Preventing Script Attacks
http://www.asp.net/faq/RequestValidation.aspx#2

The <pages> Element
http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfpagessection.asp

Protecting Against Script Exploits in a Web Application
http://msdn.microsoft.com/library/en-us/vbcon/html/vbtskProtectingAgainstScriptExploitsInWebApplication.asp

The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework 1.1)
Last Reviewed:7/17/2003 (1.0)
Keywords:kbWebForms kbConfig kbScript kbDeployment kbprb KB821343 kbAudDeveloper

关于设置节的参考如下:

.NET Framework General Reference  

<pages> Element

Identifies page-specific configuration settings. The <pages> section can be declared at the machine, site, application, and subdirectory levels.

<configuration>
   <system.web>
      <pages>

<pages buffer="true|false" 
       enableSessionState="true|false|ReadOnly"
       enableViewState="true|false"
       enableViewStateMac="true|false"
       autoEventWireup="true|false"
       smartNavigation="true|false"
       pageBaseType="typename, assembly"
       userControlBaseType="typename"
       validateRequest="true|False"/>

Optional Attributes

Attribute Option Description
buffer     Specifies whether the URL resource uses response buffering.
    true Indicates that response buffering is enabled.
    false Indicates that response buffering is not enabled.
enableSessionState     Specifies whether session state is enabled.
    true Indicates that session state is enabled.
    false Indicates that session state is not enabled.
    ReadOnly Specifies that an application can read but cannot modify session state variables.
enableViewState     Specifies whether view state is enabled.
    true Indicates that view state is enabled.
    false Indicates that view state is not enabled.
enableViewStateMac     Specifies whether ASP.NET should run a message authentication code (MAC) on the page's view state when the page is posted back from the client. A view state MAC is an encrypted version of the hidden variable that a page's view state is persisted to when sent to the browser. If true, the encrypted view state is checked to verify that it has not been tampered with on the client.
    true Indicates that view state is MAC checked.
    false Indicates that view state is not MAC checked. The default is false.
smartNavigation     Specifies whether smart navigation is enabled. Smart navigation requires Microsoft Internet Explorer 5.5 or greater.
    true Indicates that smart navigation is enabled.
    false Indicates that smart navigation is not enabled. The default is false.
pageBaseType     Specifies a code-behind class that .aspx pages inherit by default.
userControlBaseType     Specifies a code-behind class that user controls inherit by default.
autoEventWireup     Indicates whether page events are automatically enabled.
    true Indicates that page events are automatically enabled.
    false Indicates that page events are not automatically enabled.
validateRequest     Indicates that ASP.NET examines all input from the browser for potentially dangerous data. If true, request validation is performed by comparing all input data to a list of potentially dangerous values. If a match occurs, ASP.NET raises an HttpRequestValidationException exception.
    true Indicates that input from the browser is checked. The default is true.
    false Indicates that input from the browser is not checked.

Example

The following example specifies several page configuration settings.

<configuration>
   <system.web>
      <pages buffer="true"
             enableSessionState="true"
             autoEventWireup="true"
             smartNavigation="true"/>
   </system.web>
</configuration>

Requirements

Contained Within: <system.web>

Web Platform: IIS 5.0, IIS 5.1, IIS 6.0

Configuration File: Machine.config, Web.config

Configuration Section Handler: System.Web.UI.PagesConfigurationHandler

See Also

ASP.NET Configuration | ASP.NET Settings Schema


 

 

 
相关文章
     没有手动相关文章
 
评论
     查看或发表更多的评论,请单击这里。
 
 
 
 
 
   
  Access911.net   |   a9BBS   |   OTaA System   |
建站日期:2000年4月2日  |  设计施工:陈格 ( access911 & cg1 )
 Copyright © 2000 - 2003 COMET, 陈格 保留所有权利