当我在表单中提交HTML字符时,为什么ASP.NET会抛出内部服务器(500)错误?

时间:2022-04-09 08:38:57

When I put in HTML characters in my form, such as <br />, ASP.NET throws an internal 500 exception as described here.

当我在表单中输入HTML字符时,例如
,ASP.NET会抛出内部500异常,如此处所述。

A potentially dangerous Request.Form value was detected from the client (Name="<br />").

从客户端检测到潜在危险的Request.Form值(Name =“
”)。

Ok, so it's protecting me from unencoded characters that could be used for malicious reasons.

好吧,所以它保护我免受可能出于恶意原因使用的未编码字符。

The problem is, and this is answered nowhere in my long search, is what to do about it. I.e. my application shouldn't just be throwing a generic internal server error when a user inputs bad characters (what if they're drawing an arrow such as <--).

问题是,在我的长期搜索中无处可回答,该怎么办呢。即我的应用程序不应该只是在用户输入错误字符时抛出通用内部服务器错误(如果他们正在绘制诸如< - 的箭头,那该怎么办)。

What would be better is to simply return to the page with a ModelState error that says "Please don't use HTML characters" or something meaningful.

更好的是简单地返回到具有ModelState错误的页面,该错误显示“请勿使用HTML字符”或有意义的内容。

But how is this to be achieved? The error is thrown way before it gets to my code. Also, I don't want to just turn it off via validateRequest="false" and then have to validate every single form in my application for HTML characters and return an error.

但是如何实现呢?错误在它到达我的代码之前被抛出。此外,我不想通过validateRequest =“false”将其关闭,然后必须验证我的应用程序中的每个表单的HTML字符并返回错误。

Is there a way to leave this type of validation enabled but just handle it differently?

有没有办法让这种类型的验证启用但只是以不同的方式处理它?

Code for clarification:

澄清代码:

Model

模型

Public Class SomeModel
    Public Property SomeField As String
End Class

Controller

调节器

<HttpPost>
Function SomeController(ByVal model As SomeModel)
    ' model.SomeField contains some HTML characters :O
    ' but it doesn't matter, since an internal error has occured :(
End Function

4 个解决方案

#1


2  

It is definitely possible to show your own error page with whatever message you see fit.
You use customError pages for this.

您可以使用您认为合适的任何消息显示您自己的错误页面。您可以使用customError页面。

You can configure these error pages to be shown for the appropriate error code.

您可以配置这些错误页面以显示相应的错误代码。

<configuration>
   <system.web>
      <customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" 
                    defaultRedirect="GenericError.htm">
         <error statusCode="500" redirect="InternalError.aspx"/>
      </customErrors>
   </system.web>
</configuration>

Displaying a Custom Error Page

显示自定义错误页面

On your error page you can detect the last error with Server.GetLastError() and use it show an appropriate message, if you want this case of html data to be handled differently.

在错误页面上,您可以使用Server.GetLastError()检测最后一个错误,并使用它显示相应的消息,如果您希望以不同方式处理这种情况的html数据。

#2


2  

Have you tried adding the AllowHtml attribute to the property of your viewmodel?

您是否尝试将AllowHtml属性添加到viewmodel的属性中?

#3


1  

It sounds like what you want is to have it turned off globally.

听起来你想要的是全局关闭它。

Your concern of having to validate every single input in your application is less of a problem than it used to be with both razor and the <%: %> asp.net web pages syntax automatically HTML encoding output. The only fields of your application that you would need to manually validate to make sure that they didn't contain HTML would be fields that get displayed as un-encoded raw text.

您不得不验证应用程序中每个输入的问题,而不是像以前那样使用razor和<%:%> asp.net网页语法自动HTML编码输出。您需要手动验证以确保它们不包含HTML的应用程序的唯一字段将是显示为未编码的原始文本的字段。

#4


0  

To allow restricted input in the model use the AllowHtmlAttribute on the model property. That's the first step.

要允许模型中的受限输入,请使用model属性上的AllowHtmlAttribute。这是第一步。

Then create a custom validator or use the RegularExpressionAttribute to validate the input to your spec.

然后创建自定义验证器或使用RegularExpressionAttribute验证规范的输入。

Or, if want to allow the user to input restricted characters use HttpUtility.HtmlEncode to encode the value .

或者,如果要允许用户输入受限制的字符,请使用HttpUtility.HtmlEncode对值进行编码。

#1


2  

It is definitely possible to show your own error page with whatever message you see fit.
You use customError pages for this.

您可以使用您认为合适的任何消息显示您自己的错误页面。您可以使用customError页面。

You can configure these error pages to be shown for the appropriate error code.

您可以配置这些错误页面以显示相应的错误代码。

<configuration>
   <system.web>
      <customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" 
                    defaultRedirect="GenericError.htm">
         <error statusCode="500" redirect="InternalError.aspx"/>
      </customErrors>
   </system.web>
</configuration>

Displaying a Custom Error Page

显示自定义错误页面

On your error page you can detect the last error with Server.GetLastError() and use it show an appropriate message, if you want this case of html data to be handled differently.

在错误页面上,您可以使用Server.GetLastError()检测最后一个错误,并使用它显示相应的消息,如果您希望以不同方式处理这种情况的html数据。

#2


2  

Have you tried adding the AllowHtml attribute to the property of your viewmodel?

您是否尝试将AllowHtml属性添加到viewmodel的属性中?

#3


1  

It sounds like what you want is to have it turned off globally.

听起来你想要的是全局关闭它。

Your concern of having to validate every single input in your application is less of a problem than it used to be with both razor and the <%: %> asp.net web pages syntax automatically HTML encoding output. The only fields of your application that you would need to manually validate to make sure that they didn't contain HTML would be fields that get displayed as un-encoded raw text.

您不得不验证应用程序中每个输入的问题,而不是像以前那样使用razor和<%:%> asp.net网页语法自动HTML编码输出。您需要手动验证以确保它们不包含HTML的应用程序的唯一字段将是显示为未编码的原始文本的字段。

#4


0  

To allow restricted input in the model use the AllowHtmlAttribute on the model property. That's the first step.

要允许模型中的受限输入,请使用model属性上的AllowHtmlAttribute。这是第一步。

Then create a custom validator or use the RegularExpressionAttribute to validate the input to your spec.

然后创建自定义验证器或使用RegularExpressionAttribute验证规范的输入。

Or, if want to allow the user to input restricted characters use HttpUtility.HtmlEncode to encode the value .

或者,如果要允许用户输入受限制的字符,请使用HttpUtility.HtmlEncode对值进行编码。