检测到潜在危险的Request.Form值
[英]A potentially dangerous Request.Form value was detected
问题描述
I'm using a php script to http post some xml files to a .net URL. 
我正在使用php脚本将一些xml文件发布到.net URL。
When I submit I get the response: 当我提交时,我收到回复:
A potentially dangerous Request.Form value was detected from the client (<?xml version="...UTF-8"?> <!DOCTYPE cXML SYSTE..."). Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
As I'm not using .NET I can't set ValidateRequest="false" in web.config. 因为我没有使用.NET,所以我无法在web.config中设置ValidateRequest =“false”。
Do I need to sanitize my xml before submitiing? 在提交之前我需要清理我的xml吗? How can I do this? 我怎样才能做到这一点?
5 个解决方案
解决方案1
3 2013-07-03 09:00:19
On MVC, put below on post 在MVC上,将帖子放在下面
[HttpPost, ValidateInput(false)]
public ActionResult PostMethod(Model viewModel)
解决方案2
3 已采纳 2010-08-16 10:01:58
It's intriguing that you can see the full error, but are not capable of accessing the ASP.NET code. 有趣的是,您可以看到完整的错误,但无法访问ASP.NET代码。 Normally, one can only see the full error when in debug mode, because in production, the error-setting is (should be) RemoteOnly or Off . 通常,在调试模式下只能看到完整错误,因为在生产中,错误设置(应该是) RemoteOnly或Off 。 This seems a configuration mistake and a potential risk on the side of the ASP.NET site. 这似乎是一个配置错误,并且在ASP.NET站点方面存在潜在风险。
You say "to http post some xml files" . 你说“要http发布一些xml文件” 。 If you were indeed posting files , you wouldn't receive this response. 如果您确实发布了文件 ,则不会收到此回复。 Maybe you can contact the site's owner and ask for him to change the form to allow file-input. 也许您可以联系该网站的所有者并要求他更改表单以允许文件输入。
You can change your input such that it doesn't look like XML anymore, but then it isn't XML anymore either. 您可以更改输入,使其不再像XML,但它不再是XML。 Ie, change all < in < 即,改变所有< in < and you'll be able to get your data through, but it must be unescaped when processed. 并且您将能够获取您的数据,但在处理时必须取消转义。
If this site is supposed to accept XML, it must be changed to accept XML. 如果该站点应该接受XML,则必须将其更改为接受XML。 Either it should accept files, or it should accept HTML/XML input by turning ValidateRequest to off. 它应该接受文件,或者它应该通过将ValidateRequest关闭来接受HTML / XML输入。 If it is not supposed to receive XML, there's little you can do. 如果它不应该接收XML,那么你几乎无能为力。 It's like filling in a bank's payment form by putting letters in the amount-field: it just won't work (unless it was designed to work that way). 这就像填写银行的付款表格一样,在金额字段中加上字母:它只是不起作用(除非它的设计是以这种方式工作)。
解决方案3
2 2010-08-16 09:50:58
You need to set ValidateRequest="false" in the page that's receiving the XML, not in the page that's sending it. 您需要在接收XML的页面中设置ValidateRequest="false" ,而不是在发送它的页面中。 If you don't have any access to the page that you're passing the XML to, then you'll need to find another way to pass the data, or transform it into another format first as pretty much anything that looks like HTML will cause an asp.net page to trigger this warning. 如果您没有对要传递XML的页面的任何访问权限,那么您需要找到另一种传递数据的方法,或者首先将其转换为另一种格式,因为几乎任何看起来像HTML的东西都会导致asp.net页面触发此警告。
解决方案4
1 2010-08-16 12:51:57
XML or anything that "looks like" it, is considered dangerous by default, as a reasonable way to block XSS attacks on something expecting plaintext content. XML或任何“看起来像”它的东西,默认情况下被认为是危险的,作为阻止XSS攻击期望明文内容的一种合理方法。
The problem is with the resource you are submitting to, not with your code, file a bug or tech-support request with them. 问题在于您提交的资源,而不是您的代码,向他们提交错误或技术支持请求。
解决方案5
1 2011-11-04 17:21:53
If you use ASP.NET 4.0, except for setting in page 如果使用ASP.NET 4.0,则在页面中进行设置除外
<%@ Page ValidateRequest="false" />
add in web.config 在web.config中添加
<httpRuntime requestValidationMode="2.0" />
This should help 这应该有所帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.