stackoom
  简体   繁体   中英

A potentially dangerous Request.Form value was detected from the client, encoding help please

 原文  2013-01-22 21:13:35       javascript/ asp.net/ html/ regex/ web-services

Question

So I'm attempting to submit a string as a param over a Post in Js to an asp.net service and im having some difficulty. Before its stated, I do no have access to the server and can not touch the validation, I am strictly accessing from an external client. I get this response back 

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (message="...t;img src='http://192.168.1...").
    at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
    at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection)
    at System.Web.HttpRequest.get_Form()
    at System.Web.Services.Protocols.HtmlFormParameterReader.Read(HttpRequest request)
    at System.Web.Services.Protocols.HttpServerProtocol.ReadParameters()
    at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()

The message I'm sending is: 

xcvxzcvzxcvxcvzxcv< br /><img src='http://192.168.1.1:82/UserUploads/Images/65968/20130122020024996.jpg' alt='User Image' />

Which I encode using : 

htmlEncode: function(str) {
        str = str.replace(/&/g, '&amp;');
        str = str.replace(/'/g, '&#39;');
        str = str.replace(/"/g, "&quot;");
        str = str.replace(/</g, '&lt;');
        str = str.replace(/>/g, '&gt;');
        return str;
    },

which produces: 

xcvxzcvzxcvxcvzxcv&lt; br /&gt;&lt;img src=&#39;http://192.168.1.1:82/UserUploads/Images/65968/20130122020802027.jpg&#39; alt=&#39;User Image&#39; /&gt;

I have run through several validators and checked my encoding and I cannot figure out what is causing the issue. My only guess is that the http:// is causing the problem as its shown in the javascript error, but im not sure. Any help or insight would be greatly appreciated.

2 answers

solution1
 0 ACCPTED  2013-01-22 22:47:12

The problem was the encoding for '. According to user409762, the combination of &# is flagged as dangerous in asp.net.

So now my encoding looks like this and works fine. 

htmlEncode: function(str) {
    str = str.replace(/&/g, '&amp;');
    str = str.replace(/"/g, "&quot;");
    str = str.replace(/</g, '&lt;');
    str = str.replace(/>/g, '&gt;');
    return str;
},

solution2
 0  2015-11-05 17:35:56

Using Jquery, you can perform the encode and decode like this link . 

function htmlEncode(value) {
    return $('<div/>').text(value).html();
}

function htmlDecode(value) {
    return $('<div/>').html(value).text();
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question potentially dangerous request.form value was detected from the client innerhtml A potentially dangerous Request.Path value was detected from the client (:) A potentially dangerous Request.Form value after removing dangerous data with JavaScript Javascript/Razor Request.Params A potentially dangerous Request.QueryString value was detected from the client SignalR ping returns error 400: "A potentially dangerous Request.Path value was detected from the client" client side validation for asp.net mvc “A potentially dangerous Request.Form… Show script depending on innerwidth - without “potentially dangerous request.form” JavaScript encoding for potentially dangerous requests Sending data with form and reading it from Request.Form request.form[“”] cannot get value in C#
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM