requestValidationMode 导致 ValidateRequest=False 失效或者ASP.NET 4.0事件消息: 发生了验证错误；检测到有潜在危险的Request.Form值

 

[转帖]requestValidationMode 导致 ValidateRequest=False 失效或者ASP.NET 4.0事件消息: 发生了验证错误；检测到有潜在危险的Request.Form值

作者：kwanann 阅读：2748 发表于：2010-09-19 12:46:15

The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing.

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:

XML/XHTML 代码

<!--

Code highlighting produced by Actipro CodeHighlighter (freeware)
http://www.CodeHighlighter.com/

--> < httpRuntime requestValidationMode =”2.0″ />

IMPORTANT:

Because this is now in the BeginRequest phase of a HTTP request, pages with validationRequest=”false”  will still get the dreaded message. The only way is to

   1. Set requestValidationMode=”2.0″ in which case the page setting will apply
   2. Ignore requestValidationMode setting and create your own requestvalidator and change your web.config to use the custom validator


Creating your own custom request validation

Here’s the sample code to create your own custom request validation which allows all html tags except script tags

You will need to modify the web.config as well

XML/XHTML 代码

<!--

Code highlighting produced by Actipro CodeHighlighter (freeware)
http://www.CodeHighlighter.com/

--> < httpRuntime requestValidationType =”Globals.CustomRequestValidation”/>

NOTE: There is no current way to find out whether the page has validateRequest=false. I’ve submitted a feedback to Microsoft, click here to view the status of the request

C# 代码

<!--

Code highlighting produced by Actipro CodeHighlighter (freeware)
http://www.CodeHighlighter.com/

-->
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Util;

namespace Globals
{
   /// <summary>
   /// Summary description for CustomRequestValidation
   /// </summary>
   public class CustomRequestValidation : RequestValidator
  {
     public CustomRequestValidation() { }
     protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
    {
       // block script tags
      var idx = value.ToLower().IndexOf( " <script " );
       if (idx > - 1 )
      {
        validationFailureIndex = idx;
         return false ;
      }
       else
      {
        validationFailureIndex = 0 ;
         return true ;
      }
    }
  }
}

原文：http://jefferytay.wordpress.com/2010/04/15/asp-net-4-breaking-changes-1-requestvalidationmode-cause-validaterequestfalse-to-fail/