问题描述
我想检查我的MVC应用程序的安全性。当我尝试输入HTML或JavaScript它给出了一个错误:潜在危险的请求
I am trying to check the security of my MVC application. When I try to input html or javascript it gives an error: Potential dangerous request.
Server Error in '/' Application.
A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht...").
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
这看起来不错,这是不可能注入HTML或JavaScript。但是,我不喜欢的东西,用户将看到我的版本ASP.net和一切。
This looks good, it is not possible to inject HTML or JavaScript. But the thing that I do not like, the users will see my version of ASP.net and everything.
我如何删除这个错误,并给出只是一个信息:我不喜欢你的输入或任何
How can I remove this error and give just a message with: I don't like your input or whatever.
我试图做到这一点,但是这是行不通的:
I have tried to do this but this is not working:
[Authorize]
public ActionResult Create(int album_id)
{
ViewBag.album_id = album_id;
return View();
}
[Authorize]
[HttpPost]
public ActionResult Create(REVIEW model)
{
string txt = null;
try
{
txt = model.TEKST;
}
catch (System.Web.HttpRequestValidationException)
{
txt = "errorrr";
}
return RedirectToAction("Add", new { tekst = txt, album_id=model.ALBUM_ID});
}
解决方案:
见Nudier的答案
SOLUTION:See Nudier's answer
推荐答案
您可以通过以下方式在应用程序中处理错误
you can handle errors within your application in the following way
1 设置CustomErros模式部分应用程序的Web.config文件
1. Setting the CustomErros mode section in your Web.Config file of your application
这个选项的mode属性可以接受的列表。
仅限远程:显示远程用户的一般错误页面。丰富的错误页面显示为
本地请求(即从当前计算机发出的请求)。这是在
默认设置。
RemoteOnly: Generic error pages are shown for remote users. Rich error pages are shown forlocal requests (requests that are made from the current computer). This is thedefault setting.
关闭显示为所有用户提供丰富的错误页面,无论请求的来源。
这个设置是在许多开发方案中有用的,但不应该使用
部署的应用程序。
Off: Rich error pages are shown for all users, regardless of the source of the request.This setting is helpful in many development scenarios but should not be used ina deployed application.
在显示所有用户的一般错误页,无论来源
请求。这是最安全的选择。
On: Generic error pages are shown for all users, regardless of the source of therequest. This is the most secure option.
<System.Web>
//map all the erros presented in the application to the error.aspx webpage
<customErrors mode="RemoteOnly" defaultRedirect ="~/error.aspx" />
<System.Web>
2 throught的Global.asax中的Application_Error功能文件
2. throught Global.asax file in the Application_Error function
//handle all the errors presented in the application
void Application_Error(object sender, EventArgs e){
Server.Tranfer("error.aspx");
}
我希望这对你的作品。
I hope this works for you.
这篇关于潜在危险的请求,隐藏错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!