Potential dangerous request, hide error

2019-05-11 14:21发布

I am trying to check the security of my MVC application. When I try to input html or javascript it gives an error: Potential dangerous request.

Server Error in '/' Application.
A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht...").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

This looks good, it is not possible to inject HTML or JavaScript. But the thing that I do not like, the users will see my version of ASP.net and everything.

How can I remove this error and give just a message with: I don't like your input or whatever.

I have tried to do this but this is not working:

[Authorize]
public ActionResult Create(int album_id)
{
    ViewBag.album_id = album_id;
    return View();
}

[Authorize]
[HttpPost]
public ActionResult Create(REVIEW model)
{
    string txt = null;
    try
    {
        txt = model.TEKST;
    }
    catch (System.Web.HttpRequestValidationException)
    {
        txt = "errorrr";
    }


    return RedirectToAction("Add", new { tekst = txt, album_id=model.ALBUM_ID});
}

SOLUTION: See Nudier's answer

1条回答
Animai°情兽
2楼-- · 2019-05-11 15:18

you can handle errors within your application in the following way

1. Setting the CustomErros mode section in your Web.Config file of your application

This the lists of options the mode attribute can accept.

RemoteOnly: Generic error pages are shown for remote users. Rich error pages are shown for local requests (requests that are made from the current computer). This is the default setting.

Off: Rich error pages are shown for all users, regardless of the source of the request. This setting is helpful in many development scenarios but should not be used in a deployed application.

On: Generic error pages are shown for all users, regardless of the source of the request. This is the most secure option.

     <System.Web>
      //map all the erros presented in the application to the error.aspx webpage
     <customErrors mode="RemoteOnly" defaultRedirect ="~/error.aspx" />
    <System.Web>

2. throught Global.asax file in the Application_Error function

     //handle all the errors presented in the application
      void Application_Error(object sender, EventArgs e){  
     Server.Tranfer("error.aspx");
    }

I hope this works for you.

查看更多
登录 后发表回答