堆栈内存溢出
  简体   繁体   English

如何在不将 RequestValidationMode 设置为 2.0 的情况下禁用请求验证?

[英]How do I disable request validation without setting RequestValidationMode to 2.0?

 原文  2011-10-12 13:36:49       c#/ .net/ asp.net/ request-validation/ requestvalidationmode

问题描述

We've just upgraded to ASP.NET 4.0, and found that requestValidation no longer works.我们刚刚升级到ASP.NET 4.0,发现requestValidation不再起作用了。 The MSDN docs suggest we need to set requestValidationMode in web.config to 2.0: MSDN 文档建议我们需要将 web.config 中的requestValidationMode设置为 2.0:

  • 4.0 (the default). 4.0(默认)。 The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any HTTP request data is accessed. HttpRequest object 在内部设置了一个标志,指示无论何时访问任何 HTTP 请求数据都应触发请求验证。 This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request.这保证了在请求期间访问 cookies 和 URL 等数据之前触发请求验证。 The request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are ignored.配置文件中的页面元素(如果有)或单个页面中的@Page 指令的请求验证设置将被忽略。
  • 2.0. 2.0。 Request validation is enabled only for pages, not for all HTTP requests.仅对页面启用请求验证,而不是对所有 HTTP 请求启用。 In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.此外,配置文件中页面元素(如果有)或单个页面中的@Page 指令的请求验证设置用于确定要验证哪些页面请求。

This will work for us, however I'm a little puzzled.这对我们有用,但我有点困惑。 It seems that we're putting this into a legacy/compatibility mode.看来我们正在将其置于遗留/兼容模式中。 Surely it should be possible to have the 4.0 behaviour, but still have an option to turn this off on a page?当然应该可以有 4.0 的行为,但仍然可以选择在页面上关闭它?

5 个解决方案

解决方案1
 26  2012-06-02 04:15:15

I found a way to achieve this without changing RequestValidationMode to 2.0 to the whole site: 我找到了一种方法来实现这一点,而无需将RequestValidationMode更改为2.0到整个站点:

You can crate a sub-directory for the page you want to disable the request validation and add a new web.config to this directory with RequestValidationMode set to 2.0, this way only this directory will work in 2.0 mode without affecting all other requests that will work in 4.0 mode. 您可以为要禁用请求验证的页面创建子目录,并将新的web.config添加到此目录,并将RequestValidationMode设置为2.0,这样只有此目录才能在2.0模式下工作,而不会影响所有其他请求在4.0模式下工作。

I think you can add an location section to your main web.config specifying only one page, but I didn't tested this yet. 我想你可以在主web.config中添加一个位置部分,只指定一个页面,但我还没有测试过。 Something like this: 像这样的东西: 

<location path="Admin/Translation.aspx">
    <system.web>
        <httpRuntime requestValidationMode="2.0"/>
    </system.web>
</location>

Hope it helps you as helped me ! 希望它可以帮助你帮助我!

解决方案2
 4  2012-03-23 20:02:04

Your best bet is to override the requestValidationType with your own code: 您最好的选择是使用您自己的代码覆盖requestValidationType:

<httpRuntime requestValidationType="YourNamespace.YourValidator" />

MSDN link MSDN链接

解决方案3
 3  2011-11-11 23:32:44

It appears that it is not possible to turn this on or off for a page in requestValidationMode 4.0. 似乎无法在requestValidationMode 4.0中为页面打开或关闭此功能。

This whitepaper outlines breaking changes in .Net 4.0, of which this seems to be one. 白皮书概述了.Net 4.0中的重大变化,其中似乎是一个。 Even the whitepaper suggests reverting back to requestValidationMode 2.0 即使是白皮书建议还原为requestValidationMode 2.0

To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file: 若要还原到ASP.NET 2.0请求验证功能的行为,请在Web.config文件中添加以下设置:

<httpRuntime requestValidationMode="2.0" />

Although it also helpfully recommends 虽然它也有助于推荐

that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors. 您分析任何请求验证错误,以确定现有处理程序,模块或其他自定义代码是否访问可能是XSS攻击媒介的可能不安全的HTTP输入。

without giving any guidance on how best to resolve these issues 没有就如何最好地解决这些问题提供任何指导

解决方案4
 1  2022-04-16 16:09:45

Set requestValidationMode="0.0" to disable ASP.NET pages and HTTP requests validation.设置 requestValidationMode="0.0" 以禁用 ASP.NET 页面和 HTTP 请求验证。 Value 0.0 recognized in ASP.NET 4.6 and later.值 0.0 在 ASP.NET 4.6 及更高版本中得到认可。 MSDN MSDN

<configuration>
  <system.web>
    <httpRuntime requestValidationMode="0.0" />

解决方案5
 -3  2011-10-12 13:42:26

您可以在page指令中将ValidateRequest设置为false: 

<%@ Page ValidateRequest="false" %>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用requestValidationMode = 2.0接收“潜在危险的Request.Form” - Receiving “potentially dangerous Request.Form” with requestValidationMode = 2.0 RequestValidationMode 2.0配置错误 - RequestValidationMode 2.0 Configuration Error 可以设置RequestValidationMode =“2.0”页面级别吗? - Can Set RequestValidationMode=“2.0” page level? 如何从Nancy 2.0上的POST请求中获取数据? - How do I get data from a POST request on Nancy 2.0? 如何在 VS2010 中禁用此代码视图设置? - How do I disable this code view setting in VS2010? 为什么我不能禁用请求验证? - why I cant disable request validation? 如何在加载时禁用IDataErrorInfo和DataAnnotations验证 - How do I disable IDataErrorInfo & DataAnnotations Validation on load 使用Razor时,我们仍然需要禁用请求验证吗? - Do we still need to disable request validation when using Razor? web.config中的requestvalidationmode =“2.0”validaterequest =“false”无法正常工作 - requestvalidationmode=“2.0” validaterequest=“false” in web.config not working 如何禁用用于验证消息签名的x509证书的验证? - How do I disable validation of the x509 certificate used to validate a message signature?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM