ASP.NET Core 如何覆盖无效值消息
[英]ASP.NET Core how to override not valid value message
问题描述
I'm perfoming penetration tests with Acunetix and the following query "api/venues?gameId=1'"()%26%25vAtC(9571)" is getting the following response:
我正在使用 Acunetix 进行渗透测试,以下查询“api/venues?gameId=1'”()%26%25vAtC(9571)”得到以下响应:
{ "status": 400, "userMessage": [ "There are validation errors" ], "validationErrors": [ "The value '1'\\"()&%<acx><ScRiPt >NJMi(9780)</ScRiPt>' is not valid." ] }
This is detected by Acunetix as a posible XSS security issue and I would like to override the validation error message in order to avoid this in the whole application.这被 Acunetix 检测为可能的 XSS 安全问题,我想覆盖验证错误消息,以避免在整个应用程序中出现这种情况。
2 个解决方案
解决方案1
3 已采纳 2019-03-22 08:55:21
Model binder messages can be customized like this: 可以这样定制模型联编程序消息:
services.AddMvcCore().AddMvcOptions(options =>
{
options.ModelBindingMessageProvider.SetNonPropertyAttemptedValueIsInvalidAccessor(s => "The provided value is invalid.");
});
解决方案2
0 2021-10-08 14:02:00
Its worth adding that there are 3 other baked in binder errors, which display the value back, altogether:值得补充的是,还有 3 个其他烘焙错误,它们总共显示了值:
options.ModelBindingMessageProvider.SetAttemptedValueIsInvalidAccessor((x, y) => $"The value is not valid for {y}.");
options.ModelBindingMessageProvider.SetNonPropertyAttemptedValueIsInvalidAccessor(x => "The value is not valid.");
options.ModelBindingMessageProvider.SetValueIsInvalidAccessor(x => "The value is invalid.");
options.ModelBindingMessageProvider.SetValueMustNotBeNullAccessor(x => "The value is invalid.");
Best to check MSDN ModelBinding message providers, for what's currently available.最好检查 MSDN ModelBinding 消息提供程序,了解当前可用的内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.