I have an asp.net site....I would like to know how to handle this error gracefully when a user enters and submit an illegal character (xss attack).
我有一个asp.net站点....我想知道如何在用户输入并提交非法字符(xss攻击)时优雅地处理这个错误。
"A potentially dangerous Request.Form value was detected from the client (ctl00$TextBox1="").........etc"
“一个有潜在危险的请求。从客户那里检测出了表单值(ctl00$TextBox1=“……”)
I can turn-off the requestvalidation attribute and write a code to filter the string with illegal characters but I think it's not a good practice to turn it off. I would rather leave this on and catch the error gracefully say redirecting the user to another page that would tell him/her the error. How would you do this?
我可以断开requestvalidation属性和写代码过滤非法字符的字符串,但我想这不是一个好的做法关机。我宁愿离开这,抓住错误优雅地说将用户重定向到另一个页面,会告诉他/她的错误。你会怎么做?
4 个解决方案
#1
2
I have had the same problem at a project we wanted keep using the validate request options as a first line of defense. The problem is that in web forms, the form values are validated during the initial phase of process request.
我在一个项目中遇到了同样的问题,我们希望继续使用validate request选项作为第一道防线。问题是,在web表单中,表单值在流程请求的初始阶段进行验证。
The way we eventually solved this is in the following way:
我们最终解决这个问题的方法如下:
- Disable Request validation for the project
- 禁用项目的请求验证
- Create a Custom validator that inherits from base validator
- 创建继承自基本验证器的自定义验证器
- Use the Custom validator on all pages (or master page)
- 在所有页面(或母版页面)上使用自定义验证器
our custom validator looks similar to the one below:
我们的定制验证器看起来与下面的验证器相似:
public class UserInputValidator : BaseValidator
{
private HttpRequest Request
{
get { return HttpContext.Current.Request; }
}
protected override bool ControlPropertiesValid()
{
//Override the base functionality because this will check for a control to validate, what we won't do.
return true;
}
protected override bool EvaluateIsValid()
{
bool isValid = true;
var message = new StringWriter();
if (Request != null)
{
//Validate input will enable request validation.
Request.ValidateInput();
NameValueCollection formValues = Request.Form;
foreach (string formKey in formValues.Keys)
{
try
{
#pragma warning disable 168
//Access the form variable to trigger request validation.
string formValue = formValues[formKey];
#pragma warning restore 168
}
catch (HttpRequestValidationException)
{
string orgValue = Request.Unvalidated.Form[formKey];
message.WriteLine("The following input is not allowed: {0}", HttpUtility.HtmlEncode(orgValue));
isValid = false;
}
}
}
ErrorMessage = message.ToString();
return isValid;
}
}
This works because when the request validation is disabled, the ValidateInput is not called. By calling this method when validating the page, we force the request validation to be activated for the request.
这之所以有效,是因为当禁用请求验证时,不会调用ValidateInput。通过在验证页面时调用此方法,我们强制为请求激活请求验证。
The next thing we will have to do is access each value from the form collection (at least in asp.net 4.5) so the exception is triggered when appropriate.
接下来我们要做的是访问表单集合中的每个值(至少在asp.net 4.5中),所以在适当的时候触发异常。
#2
1
This error happens at a higher level on the page, before any of the major processing is handled, and it causes the request to abort.
此错误发生在页面的更高级别,在处理任何主要处理之前,并导致请求中止。
I believe your only option here is to handle the exception on the Application_Error
method within the global.asax and then redirect to a custom error page if needed.
我认为您在这里唯一的选择是在全局中处理Application_Error方法的异常。asax,然后在需要时重定向到自定义错误页面。
#3
0
Handle gracefully, well you would have to do the form checking to find the error yourself, so you would have to do this for each input element or create a component to parse the posted form collection, not an easy task to do... (or at least check the relevant fields).
优雅地处理,你必须自己检查表单来查找错误,所以你必须对每个输入元素都这样做,或者创建一个组件来解析已发布的表单集合,这不是一件容易的事情……(或至少检查相关字段)。
Then you could redirect to an error page with that message. Alternatively, if you leave it on, and like already mentioned handle Application_Error (or potentially the OnError method within the page), you could then redirect them to an error page with this message, essentially doing the same thing.
然后您可以使用该消息重定向到错误页面。或者,如果您保留它,就像前面提到的句柄Application_Error(或者可能是页面中的OnError方法),那么您可以使用此消息将它们重定向到一个错误页面,本质上是做同样的事情。
#4
0
Check with JavaScript first, and display error message instantly. And duplicate this check in Application_Error event as Mitchel said.
首先使用JavaScript检查,并立即显示错误消息。并在Application_Error事件中复制该检查,如Mitchel所说。
#1
2
I have had the same problem at a project we wanted keep using the validate request options as a first line of defense. The problem is that in web forms, the form values are validated during the initial phase of process request.
我在一个项目中遇到了同样的问题,我们希望继续使用validate request选项作为第一道防线。问题是,在web表单中,表单值在流程请求的初始阶段进行验证。
The way we eventually solved this is in the following way:
我们最终解决这个问题的方法如下:
- Disable Request validation for the project
- 禁用项目的请求验证
- Create a Custom validator that inherits from base validator
- 创建继承自基本验证器的自定义验证器
- Use the Custom validator on all pages (or master page)
- 在所有页面(或母版页面)上使用自定义验证器
our custom validator looks similar to the one below:
我们的定制验证器看起来与下面的验证器相似:
public class UserInputValidator : BaseValidator
{
private HttpRequest Request
{
get { return HttpContext.Current.Request; }
}
protected override bool ControlPropertiesValid()
{
//Override the base functionality because this will check for a control to validate, what we won't do.
return true;
}
protected override bool EvaluateIsValid()
{
bool isValid = true;
var message = new StringWriter();
if (Request != null)
{
//Validate input will enable request validation.
Request.ValidateInput();
NameValueCollection formValues = Request.Form;
foreach (string formKey in formValues.Keys)
{
try
{
#pragma warning disable 168
//Access the form variable to trigger request validation.
string formValue = formValues[formKey];
#pragma warning restore 168
}
catch (HttpRequestValidationException)
{
string orgValue = Request.Unvalidated.Form[formKey];
message.WriteLine("The following input is not allowed: {0}", HttpUtility.HtmlEncode(orgValue));
isValid = false;
}
}
}
ErrorMessage = message.ToString();
return isValid;
}
}
This works because when the request validation is disabled, the ValidateInput is not called. By calling this method when validating the page, we force the request validation to be activated for the request.
这之所以有效,是因为当禁用请求验证时,不会调用ValidateInput。通过在验证页面时调用此方法,我们强制为请求激活请求验证。
The next thing we will have to do is access each value from the form collection (at least in asp.net 4.5) so the exception is triggered when appropriate.
接下来我们要做的是访问表单集合中的每个值(至少在asp.net 4.5中),所以在适当的时候触发异常。
#2
1
This error happens at a higher level on the page, before any of the major processing is handled, and it causes the request to abort.
此错误发生在页面的更高级别,在处理任何主要处理之前,并导致请求中止。
I believe your only option here is to handle the exception on the Application_Error
method within the global.asax and then redirect to a custom error page if needed.
我认为您在这里唯一的选择是在全局中处理Application_Error方法的异常。asax,然后在需要时重定向到自定义错误页面。
#3
0
Handle gracefully, well you would have to do the form checking to find the error yourself, so you would have to do this for each input element or create a component to parse the posted form collection, not an easy task to do... (or at least check the relevant fields).
优雅地处理,你必须自己检查表单来查找错误,所以你必须对每个输入元素都这样做,或者创建一个组件来解析已发布的表单集合,这不是一件容易的事情……(或至少检查相关字段)。
Then you could redirect to an error page with that message. Alternatively, if you leave it on, and like already mentioned handle Application_Error (or potentially the OnError method within the page), you could then redirect them to an error page with this message, essentially doing the same thing.
然后您可以使用该消息重定向到错误页面。或者,如果您保留它,就像前面提到的句柄Application_Error(或者可能是页面中的OnError方法),那么您可以使用此消息将它们重定向到一个错误页面,本质上是做同样的事情。
#4
0
Check with JavaScript first, and display error message instantly. And duplicate this check in Application_Error event as Mitchel said.
首先使用JavaScript检查,并立即显示错误消息。并在Application_Error事件中复制该检查,如Mitchel所说。