.net-4.0 – 为什么有潜在危险的请求错误甚至ValidateRequest = false

这是我的Default.aspx

<%@ Page Language="C#" AutoEventWireup="true"  CodeFile="Default.aspx.cs" Inherits="_Default" ValidateRequest="false" %>
<html>
    <head runat="server">
        <title>xss demonstration</title>
    </head>
    <body>
        <form id="form1" runat="server">
        <div>
            We are looking for your Feedback. 
            <asp:TextBox ID="txtFeedback" runat="server" TextMode="MultiLine" />
            <br />
            <asp:Button ID="submit" runat="server" Text="Submit" onclick="submit_Click" />
            <br />
            Comment: 
            <br />
            <asp:Literal ID="ltlFeedback" runat="server" />
        </div>
        </form>
    </body>
</html>

以下是Default.aspx.cs

public partial class _Default : System.Web.UI.Page 
{
    protected void submit_Click(object sender,EventArgs e)
    {
        this.ltlFeedback.Text = this.txtFeedback.Text;
    }
}

当我运行应用程序并在文本框中输入以下内容时.

<script>alert('Hello')</script>

我得到以下错误.

A potentially dangerous Request.Form value was detected from the
client (txtFeedback=”alert(‘Hello…”).

我的问题是为什么即使在页面中将ValidateRequest设置为false,我也会收到此错误？

解决方法

在.net framework 4.0中,您必须设置< httpRuntime requestValidationMode =“2.0”/> web.config中的标记.

<system.web>
     <compilation debug="false" targetFramework="4.0" />
     <httpRuntime requestValidationMode="2.0"/>
</system.web>

看看参考文章 – ASP.NET 4 Breaking Changes #1: requestValidationMode cause ValidateRequest=False to fail.

.net-4.0 – 为什么有潜在危险的请求错误甚至ValidateRequest = false

解决方法

相关文章