Access911.net   |   a9BBS   |   OTaA System  
  搜索文章︰  
Access911歡迎您光臨  
   主頁      上傳      简体版       論壇     
設為首頁  |  加入收藏   
  
你現在的位置︰文章索引 -> 文章分類 -> ASP/ASP.NET  
 首頁|  近日更新|  下載  |  文章索引  |  搜索|  朮語|  承接工程|  
 
系統正在加載內容,請耐心等待...
 
 查詢
 窗体
 報表
 
 
 VBA
 函數
 ADO/DAO/ADO.NET
 API
 ADP
 安全
 發布
 OA
 ASP/ASP.NET
 其他語言
 控件
 DELPHI
 C#/.Net
 本站
 其他
 小例程
 常用軟件
 參考文檔
 業主作品
 网友大作
 
 
友情鏈接
 access911.net
 
訪問人次
 1702280
 
站長 E-Mail
 net911@sina.com
 access911@gmail.com
 
RSS 訂閱

顯示附加信息 >>>

新手來看︰關于如何禁用請求驗証的方法

作者︰cg1  摘自︰access911.net  ︰cg1  更新日期︰2004-3-29  瀏覽人次︰

 

問題︰

關于︰
通過在 Page 指令或 配置節中設置 validateRequest=false 可以禁用請求驗証,請問
PAGE指令在哪里?配置節又在哪里?

我在文本框內輸入了"<input type=text>"出現了上述提示


“/WebApplication1”應用程序中的服務器錯誤。
--------------------------------------------------------------------------------

從客戶端(TextBox1="<INPUT TYPE=TEXT>")中檢測到有潛在危險的 Request.Form 值。 
說明: 請求驗証過程檢測到有潛在危險的客戶端輸入值,對請求的處理已經中止。該值可能指示危及應用程序安全的嘗試,如跨站點的腳本攻擊。通過在 Page 指令或 配置節中設置 validateRequest=false 可以禁用請求驗証。但是,在這种情況下,強烈建議應用程序顯式檢查所有輸入。 

异常詳細信息: System.Web.HttpRequestValidationException: 從客戶端(TextBox1="<INPUT TYPE=TEXT>")中檢測到有潛在危險的 Request.Form 值。

源錯誤: 

執行當前 Web 請求期間生成了未處理的异常。可以使用下面的异常堆棧跟蹤信息确定有關异常原因和發生位置的信息。  

堆棧跟蹤: 


[HttpRequestValidationException (0x80004005): 從客戶端(TextBox1="<INPUT TYPE=TEXT>")中檢測到有潛在危險的 Request.Form 值。]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   System.Web.HttpRequest.get_Form() +113
   System.Web.UI.Page.GetCollectionBasedOnMethod()
   System.Web.UI.Page.DeterminePostBackMode()
   System.Web.UI.Page.ProcessRequestMain()
   System.Web.UI.Page.ProcessRequest()
   System.Web.UI.Page.ProcessRequest(HttpContext context)
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 


--------------------------------------------------------------------------------
版本信息: Microsoft .NET Framework 版本:1.1.4322.573; ASP.NET 版本:1.1.4322.573 

 

回答︰

直接轉到 WebForm1.aspx 的 HTML 界面,里面第一行是黃色的,在 <% %> 里面加入validateRequest=false

微軟的相關文章參考如下︰


參考地址︰http://support.microsoft.com/default.aspx?scid=kb;en-us;821343&Product=aspnet

PRB: You Receive an Error Message When You Deploy an ASP.NET 1.0 Application on a Server with ASP.NET 1.1

适用于

SYMPTOMS

When you deploy a Microsoft ASP.NET 1.0 Web application on a server with the Microsoft .NET Framework version 1.1 installed, you receive the following error message if unencoded input is submitted :
A potentially dangerous Request.Form value was detected from the client

CAUSE

When the .NET Framework 1.1 is installed on a computer, the default value of the validateRequest attribute is true. When the value of validateRequest is set to true, request validation is performed and an exception is thrown if the input has potentially dangerous values.

The new request validation feature in ASP.NET 1.1 proactively prevents attacks from dangerous values. It does not allow the server to process unencoded HTML content unless you decide to allow the content. The request validation feature is designed to help prevent some script-injection attacks where client script code or HTML can be unknowingly submitted to a server, can be stored, and then can be presented to other users.

RESOLUTION

The request validation feature of ASP.NET 1.1 prevents the server from accepting content that contains unencoded HTML. You can disable request validation by setting the validateRequest attribute to false in the @ Page directive or in the configuration section.

Disable Request Validation on a Page

To disable request validation on a page, you must set the validateRequest attribute of the @ Page directive to false:
<%@ Page validateRequest="false"  %>
Note When request validation is disabled, content is submitted to a page. The page developer must make sure that the content is correctly encoded or is correctly processed.

Disable Request Validation for Your Application

To disable request validation for your application, you must modify or create a Web.config file for your application and then set the validateRequest attribute of the <PAGES /> section to false:
 <configuration> 
  <system.web> 
    <pages validateRequest="false" /> 
  </system.web> 
</configuration> 
If you want to disable request validation for all applications on your server, you can make this change to your Machine.config file.

Note When request validation is disabled, content is submitted to your application. The application developer must make sure that the content is correctly encoded or is correctly processed.

HTML Encode the Content

When request validation is disabled, you must HTML encode the content to prevent possible attacks by unencoded HTML content.

If you have disabled request validation, it is good practice to HTML encode content that will be stored for future use. HTML encoding automatically replaces any "<" or ">" characters (and several other symbols) with their corresponding HTML encoded representation.

You can easily HTML encode content on the server by using the Server.HtmlEncode(String) method. You can also easily HTML decode content. HTML decoding reverts HTML-encoded content back to standard HTML. To do this, use the Server.HtmlDecode(String) method.

Use the following code:

Microsoft Visual Basic. NET Code

<%@ Page Language="vb" validateRequet="false" %>
<HTML>
   <HEAD>
      <title>WebForm2</title>
      <script runat="server">      
      Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)   
         ' Set the label to the HTMLEnoded value of  TextBox.
         Label1.Text = Server.HtmlEncode(TextBox1.Text)
      End Sub
      </script>
   </HEAD>
   <body>
      <form id="Form1" method="post" runat="server">
         <asp:Button id="Button1" OnClick="Button1_Click" 
               style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
         </asp:Button>
         <asp:Label id="Label1" 
               style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
         </asp:Label>
         <asp:TextBox id="TextBox1"
               style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
         </asp:TextBox>
      </form>
   </body>
</HTML>

Microsoft Visual C# .NET Code

<%@ Page Language="c#" validateRequet="false" %>
<HTML>
   <HEAD>
      <title>WebForm2</title>
      <script runat="server">      
      private void Button1_Click(object sender, System.EventArgs e)
      { 
        // Set the label to the HTMLEnoded value of  TextBox.  
         Label1.Text = Server.HtmlEncode(TextBox1.Text);
      }
      </script>
   </HEAD>
   <body>
      <form id="Form1" method="post" runat="server">
         <asp:Button id="Button1" OnClick="Button1_Click"
               style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
         </asp:Button>
         <asp:Label id="Label1" 
               style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
         </asp:Label>
         <asp:TextBox id="TextBox1" 
               style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
         </asp:TextBox>
      </form>
   </body>
</HTML>

STATUS

This behavior is by design.

MORE INFORMATION

Steps to Reproduce the Behavior

  1. Start Microsoft Visual Studio .NET.
  2. Create a new ASP.NET 1.0 Web application by using Visual C# .NET or Visual Basic .NET. By default, WebForm1.aspx is created.
  3. Add a Button control , aTextBox control, and a Label control to WebForm1.aspx.
  4. Right-click WebForm1.aspx, and then click View HTML Source.
  5. Replace the existing code with the following code:

    Visual Basic .NET Code
    <%@ Page Language="vb" %>
    <HTML>
       <HEAD>
          <title>WebForm2</title>
          <script runat="server">      
          Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs)    
             Label1.Text = TextBox1.Text
          End Sub
          </script>
       </HEAD>
       <body>
          <form id="Form1" method="post" runat="server">
             <asp:Button id="Button1" OnClick="Button1_Click" 
                    style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
             </asp:Button>
             <asp:Label id="Label1" 
                    style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
             </asp:Label>
             <asp:TextBox id="TextBox1" 
                    style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
             </asp:TextBox>
          </form>
       </body>
    </HTML>
    
    Visual C# .NET Code
    <%@ Page Language="c#" %>
    <HTML>
       <HEAD>
          <title>WebForm2</title>
          <script runat="server">      
          private void Button1_Click(object sender, System.EventArgs e)
          {  
             Label1.Text = TextBox1.Text;
          }
          </script>
       </HEAD>
       <body>
          <form id="Form1" method="post" runat="server">
             <asp:Button id="Button1" OnClick="Button1_Click" 
                    style="Z-INDEX: 101; LEFT: 299px; POSITION: absolute; TOP: 172px" runat="server" Text="Button">
             </asp:Button>
             <asp:Label id="Label1" 
                    style="Z-INDEX: 102; LEFT: 403px; POSITION: absolute; TOP: 171px" runat="server">Label
             </asp:Label>
             <asp:TextBox id="TextBox1" 
                    style="Z-INDEX: 103; LEFT: 248px; POSITION: absolute; TOP: 122px" runat="server">
             </asp:TextBox>
          </form>
       </body>
    </HTML>
    
  6. On the Debug menu, click Start to run the application.
  7. Type the following text in the text box:

    <script>alert("cross-site script test!")</script>

  8. Click Button, and notice that the script is permitted to be posted back without encoded HTML. The message box appears.
  9. Deploy the same code on a server with the .NET Framework version 1.1 installed. You receive the error message that is mentioned in the "Symptoms" section of this article.

REFERENCES

For more information, visit the following Microsoft Web sites:

Request Validation - Preventing Script Attacks
http://www.asp.net/faq/RequestValidation.aspx#2

The <pages> Element
http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfpagessection.asp

Protecting Against Script Exploits in a Web Application
http://msdn.microsoft.com/library/en-us/vbcon/html/vbtskProtectingAgainstScriptExploitsInWebApplication.asp

The information in this article applies to:

  • Microsoft ASP.NET (included with the .NET Framework 1.1)
Last Reviewed:7/17/2003 (1.0)
Keywords:kbWebForms kbConfig kbScript kbDeployment kbprb KB821343 kbAudDeveloper

關于設置節的參考如下︰

.NET Framework General Reference  

<pages> Element

Identifies page-specific configuration settings. The <pages> section can be declared at the machine, site, application, and subdirectory levels.

<configuration>
   <system.web>
      <pages>

<pages buffer="true|false" 
       enableSessionState="true|false|ReadOnly"
       enableViewState="true|false"
       enableViewStateMac="true|false"
       autoEventWireup="true|false"
       smartNavigation="true|false"
       pageBaseType="typename, assembly"
       userControlBaseType="typename"
       validateRequest="true|False"/>

Optional Attributes

Attribute Option Description
buffer     Specifies whether the URL resource uses response buffering.
    true Indicates that response buffering is enabled.
    false Indicates that response buffering is not enabled.
enableSessionState     Specifies whether session state is enabled.
    true Indicates that session state is enabled.
    false Indicates that session state is not enabled.
    ReadOnly Specifies that an application can read but cannot modify session state variables.
enableViewState     Specifies whether view state is enabled.
    true Indicates that view state is enabled.
    false Indicates that view state is not enabled.
enableViewStateMac     Specifies whether ASP.NET should run a message authentication code (MAC) on the page's view state when the page is posted back from the client. A view state MAC is an encrypted version of the hidden variable that a page's view state is persisted to when sent to the browser. If true, the encrypted view state is checked to verify that it has not been tampered with on the client.
    true Indicates that view state is MAC checked.
    false Indicates that view state is not MAC checked. The default is false.
smartNavigation     Specifies whether smart navigation is enabled. Smart navigation requires Microsoft Internet Explorer 5.5 or greater.
    true Indicates that smart navigation is enabled.
    false Indicates that smart navigation is not enabled. The default is false.
pageBaseType     Specifies a code-behind class that .aspx pages inherit by default.
userControlBaseType     Specifies a code-behind class that user controls inherit by default.
autoEventWireup     Indicates whether page events are automatically enabled.
    true Indicates that page events are automatically enabled.
    false Indicates that page events are not automatically enabled.
validateRequest     Indicates that ASP.NET examines all input from the browser for potentially dangerous data. If true, request validation is performed by comparing all input data to a list of potentially dangerous values. If a match occurs, ASP.NET raises an HttpRequestValidationException exception.
    true Indicates that input from the browser is checked. The default is true.
    false Indicates that input from the browser is not checked.

Example

The following example specifies several page configuration settings.

<configuration>
   <system.web>
      <pages buffer="true"
             enableSessionState="true"
             autoEventWireup="true"
             smartNavigation="true"/>
   </system.web>
</configuration>

Requirements

Contained Within: <system.web>

Web Platform: IIS 5.0, IIS 5.1, IIS 6.0

Configuration File: Machine.config, Web.config

Configuration Section Handler: System.Web.UI.PagesConfigurationHandler

See Also

ASP.NET Configuration | ASP.NET Settings Schema


 

 

 
相關文章
     沒有手動相關文章
 
評論
     查看或發表更多的評論,請單擊這里。
 
 
 
 
 
   
  Access911.net   |   a9BBS   |   OTaA System   |
建站日期︰2000年4月2日  |  設計施工︰陳格 ( access911 & cg1 )
 Copyright © 2000 - 2003 COMET, 陳格 保留所有權利