A potentially dangerous Request.QueryString value

2019-01-15 05:31发布

问题:

I m making an ajax call using jQuery to an ASP.NET page which acts as my ajax server page to save the data which i am sending to it in the query string. In the ASP.NET page when i am trying to read the querystring i am getting this error:

A potentially dangerous Request.QueryString value was detected from the client...

I have set the ValidateRequest="false" in my page. Dont want to set it for all the pages. So did it in page level instead of config level:

  var content = "<h3>Sample header</h3><p>sample para</p>"
  content = encodeURIComponent(content);
  var url = "../Lib/ajaxhandler.aspx?mode=savecontent&page=home&ltxt=" + content;

     $.post(url, function (data) { 
       //check return value and do something
   });

and in my asp.net page:

 <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="ajaxhandler.aspx.cs" ValidateRequest="false" Inherits="MyProject.Lib.ajaxhandler" %>

But when i am sending plain text instead of the html markup, it works fine.

回答1:

If this is ASP.NET 4, there was a breaking change with ValidateRequest. See this StackOverflow question for more information on requestValidationMode.



回答2:

There's already a good answer for this, and here i'll provide the information so that you don't have to click through links.

When running ASP.NET 4.0, you will need to set the following in your web.config file RequestValidationMode="2.0".

What is this property for?

A value that indicates which ASP.NET version-specific approach to validation will be used. The default is 4.0.

So what are the possible values?

  • 4.0 (the default). The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any
    HTTP request data is accessed. This guarantees that the request
    validation is triggered before data such as cookies and URLs are
    accessed during the request. The request validation settings of the
    pages element (if any) in the configuration file or of the @ Page
    directive in an individual page are ignored.

  • 2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the pages element (if any) in the configuration file or of the @ Page directive in an individual page are used to determine which page requests to validate.

Information citated from this msdn site.



回答3:

If you want to add a custom validation logic for one particular ASP.NET page or for one or more query string parameters without setting ValidateRequest="false" for entire page - the following "hacky" solution could be useful:

public partial class MyPage : System.Web.UI.Page
{
    private string SomeUnvalidatedValue { get; set; }

    public override void ProcessRequest(HttpContext context)
    {
        var queryString = context.Request.QueryString;

        var readOnly = queryString.GetType().GetProperty("IsReadOnly",
            System.Reflection.BindingFlags.Instance | System.Reflection.BindingFlags.NonPublic);

        readOnly.SetValue(queryString, false);

        var unvalidatedValue = context.Request.Unvalidated.QueryString["SomeKey"];
        // for RequestValidationMode="2.0"
        //var unvalidatedValue = context.Request.QueryString["SomeKey"];

        // custom logic goes here

        // you could store unvalidated value here and then remove it from the query string
        SomeUnvalidatedValue = unvalidatedValue;
        queryString["SomeKey"] = string.Empty;
        // or just remove all "potentially dangerous" symbols, for example
        if (!string.IsNullOrEmpty(unvalidatedValue))
        {
            queryString["SomeKey"] = Regex.Replace(unvalidatedValue,
                "(\\<+[a-z!/\\?])|(&\\#)", new MatchEvaluator((m) =>
                {
                    return m.Value.Replace("<", string.Empty).Replace("&#", string.Empty);
                }), RegexOptions.IgnoreCase);
        }

        readOnly.SetValue(queryString, true);

        // keep other request validation logic as is
        base.ProcessRequest(context);
    }
}

The regular expression made as result of this ASP.NET method analyzing: CrossSiteScriptingValidation.IsDangerousString

Code tested with .NET 4.5.2, IIS integrated mode, with and without RequestValidationMode="2.0".



回答4:

I've created a couple reusable methods based on VAV's answer

   public static string ExtractUnvalidatedValue(HttpRequest request, string key)
        {
            var unvalidatedValue =  HttpUtility.UrlDecode(request.Unvalidated.QueryString[key]);
            // for RequestValidationMode="2.0"
            //var unvalidatedValue = context.Request.QueryString["SomeKey"];

          // remove all "potentially dangerous" symbols
            return ReplacePotentiallyDangerousSymbols(unvalidatedValue, string.Empty);
        }

    public static string ReplacePotentiallyDangerousSymbols(string unvalidatedValue, string valueToReplace="")
        {
            if (!string.IsNullOrEmpty(unvalidatedValue))
            {
                //The regular expression made as result of this ASP.NET method analyzing: CrossSiteScriptingValidation.IsDangerousString http://referencesource.microsoft.com/#System.Web/CrossSiteScriptingValidation.cs,3c599cea73c5293b
                unvalidatedValue = Regex.Replace(unvalidatedValue,
                    "(\\<+[a-z!/\\?])|(&\\#)",
                    new MatchEvaluator((m) => { return m.Value.Replace("<", valueToReplace).Replace("&#", valueToReplace); }), RegexOptions.IgnoreCase);
            }
            return unvalidatedValue;
        }


回答5:

set ValidateRequest="false" on the top of the asp page.