PDA

View Full Version : [CLOSED] 从客户端(he_info="<div><font face="tah...")中检测到有潜在危险的 Request.Form 值。



hdsoso
Mar 20, 2014, 11:29 AM
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="WebForm23.aspx.cs" Inherits="extdemo.test.WebForm23" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title></title>
</head>
<body>
<form id="form1" runat="server">
<ext:ResourceManager ID="ResourceManager1" runat="server" SourceFormatting="True" RenderScripts="CDN" RenderStyles="CDN"></ext:ResourceManager>
<ext:Viewport ID="Viewport1" runat="server" Layout="FitLayout">
<Items>
<ext:FormPanel ID="FormPanel1" runat="server" Layout="AnchorLayout" Title="企业简介">
<Items>

<ext:HtmlEditor LabelWidth="75" ID="he_info" runat="server" Margin="4" FieldLabel="企业简介" AnchorVertical="-100" AnchorHorizontal="100%"></ext:HtmlEditor>
</Items>
<Buttons>
<ext:Button ID="Button1" runat="server" Text="确定" Icon="Disk">
<DirectEvents>
<Click OnEvent="SaveComp"></Click>
</DirectEvents>
</ext:Button>
</Buttons>
</ext:FormPanel>

</Items>
</ext:Viewport>
</form>
</body>
</html>





using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Ext.Net;

namespace extdemo.test
{
public partial class WebForm23 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!X.IsAjaxRequest)
{
he_info.Text = Server.HtmlDecode("&lt;div&gt;&lt;font face=&quot;tahoma, arial, verdana, sans-serif&quot;&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp; 苏州市吴中区木渎镇乐图模流分析公司,注册成立于2009年3月 '&quot;&lt;/font&gt;&lt;/div&gt;");
}
}

protected void SaveComp(object sender, DirectEventArgs e)
{
var a = Server.HtmlEncode(he_info.Text);
he_info.Text = Server.HtmlDecode(a);
X.Msg.Alert("info", "success").Show();
}
}
}


when page is load, then i click "确定" button , then show error :


从客户端(he_info="<div><font face="tah...")中检测到有潜在危险的 Request.Form 值。

说明: ASP.NET 在请求中检测到包含潜在危险的数据,因为它可能包括 HTML 标记或脚本。该数据可能表示存在危及应用程序安全的尝试,如跨站点脚本攻击。如果此类型的输入适用于您的应 用程序,则可包括明确允许的网页中的代码。有关详细信息,请参阅 http://go.microsoft.com/fwlink/?LinkID=212874。

异常详细信息: System.Web.HttpRequestValidationException: 从客户端(he_info="<div><font face="tah...")中检测到有潜在危险的 Request.Form 值。



BUT when i simplely add a blank space to the htmleditor or edit it a little , the no error. why?

Daniil
Mar 20, 2014, 3:07 PM
Hi @hdsoso,

We are investigating. Here is a bit simplified example.

Example

<%@ Page Language="C#" %>

<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>

<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
if (!X.IsAjaxRequest)
{
this.HtmlEditor1.Text = "<div>Test</div>";
}
}

protected void TestDirectEventHandler(object sender, DirectEventArgs e)
{
X.Msg.Alert("DirectEvent", this.HtmlEditor1.Text).Show();
}
</script>

<!DOCTYPE html>
<html>
<head runat="server">
<title>Ext.NET v2 Example</title>
</head>
<body>
<form runat="server">
<ext:ResourceManager runat="server" />

<ext:HtmlEditor ID="HtmlEditor1" runat="server" />

<ext:Button runat="server" Text="Test" OnDirectClick="TestDirectEventHandler" />
</form>
</body>
</html>

hdsoso
Mar 21, 2014, 2:01 AM
your exampe faces the same issue.
please see the video.
http://screencast.com/t/OO1qfDiObsH2

geoffrey.mcgill
Mar 21, 2014, 2:11 AM
The following thread is related to this subject:

http://forums.ext.net/showthread.php?78-OPEN-HtmlEditor-and-potentially-dangerous-Request-Form-value

Example


<%@ Page Language="C#" ValidateRequest="false" %>

Daniil
Mar 21, 2014, 4:25 AM
your exampe faces the same issue.

Yes, it is just a standalone and simplified sample to reproduce the same problem.

hdsoso
Mar 21, 2014, 9:59 AM
The following thread is related to this subject:

http://forums.ext.net/showthread.php?78-OPEN-HtmlEditor-and-potentially-dangerous-Request-Form-value

Example


<%@ Page Language="C#" ValidateRequest="false" %>

i add this to page tag, but no work.

Daniil
Mar 21, 2014, 10:20 AM
There should this setting in Web.config.

<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>

Daniil
Mar 24, 2014, 5:17 AM
Hi @hdsoso,

We are investigating. Here is a bit simplified example.

Example

<%@ Page Language="C#" %>

<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>

<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
if (!X.IsAjaxRequest)
{
this.HtmlEditor1.Text = "<div>Test</div>";
}
}

protected void TestDirectEventHandler(object sender, DirectEventArgs e)
{
X.Msg.Alert("DirectEvent", this.HtmlEditor1.Text).Show();
}
</script>

<!DOCTYPE html>
<html>
<head runat="server">
<title>Ext.NET v2 Example</title>
</head>
<body>
<form runat="server">
<ext:ResourceManager runat="server" />

<ext:HtmlEditor ID="HtmlEditor1" runat="server" />

<ext:Button runat="server" Text="Test" OnDirectClick="TestDirectEventHandler" />
</form>
</body>
</html>


It has been fixed in the revision #5727. It will go to the v2.5.1 release.

macroe
Mar 25, 2014, 7:44 AM
兄弟啊,遇到个发中文标题的人真不容易啊!

Hi, man! Met here to say Chinese people was not easy!

Daniil
Mar 25, 2014, 7:51 AM
Hi @macroe,

Could you, please, translate to English for others?