Post data html data acquisition risk handling method_html/css_WEB-ITnose

Basic knowledge

The ValidateRequest attribute is a commonly used attribute in the Page class, used to indicate whether the input Data is checked for potential hazards. By default, it is True, which means "the entered data is checked for potential risks." This attribute will check the potential risks of the data submitted by the page to the server. So why is it necessary to check for potential risks?

In fact, ValidateRequest can be regarded as a security mechanism, which can prevent some codes from insecurely infringing on the client. Everyone knows that the server cannot be connected to just one computer, as long as its domain name can be accessed All can be accessed, so it is very important to check the security of the server, so there is a ValidateRequest attribute. However, some people ask that since this attribute is related to security, why should developers choose whether to perform security testing?

Many projects now have that kind of online editor. What you see can save time when writing projects. When you need to do this, the ValidtaeRequest attribute of the page must be False, otherwise submit it. Just report a security issue, let alone see the effect of this code.

Now it is estimated that VS2005 and VS2008 are used the most. A few days ago I downloaded a trial version of VS2010 Ultimate. An installation file of VS2008 is about 4.2G, and VS2010 Ultimate The version is only about 2.5G. Not only has the capacity been reduced, but some unsafe and unstable attributes are no longer supported. At that time, I set ValidateResquest=false in the Page command, then Ctrl F5 started the page, and dragged the TextBox text on the page. Enter <script> in the box, and then use the server-side Button to submit, the page will report an error, as shown in the figure </script>

It says from the client (TextBox1="< ;script>") A potentially dangerous Request.Form value was detected, which means that there is unsafe information in the form submission information. Friends with good eyesight may be able to see that I have added it to the Page. ValidateResquest="false", and also added Debug="true", look at an error page with only ValidateResquest="false" added, as shown in the figure

The above picture is the error page that is run after adding only the ValidateResquest="false" attribute value. Then the page gives 2 suggestions. 1 is to add the Debug="true" attribute to the Page. value, then we follow its instructions. We added Debug="true" to the Page and still got an error after running, as shown in the figure

The above picture is the error page after adding the Debug="true" attribute value. So how to prevent the page from detecting security information issues when both ValidateResquest="false" and Debug="true" are useless? In fact, everyone knows that 2010 can open projects produced in 2008 or 2005, which is backward compatible. Then we will use the principle of backward compatibility to solve the problem of not detecting security information on the page. ASP.NET allows us to pass the web. Configure in config to use the request verification behavior of ASP.NET 2.0: , so that no error will be reported when the page is submitted again, as shown in the figure

The layout of VS2005 is almost the same as that of 2008, but the layout in VS2010 has changed a lot. One of the highlights of VS2010 is the addition of MVC2, which is really powerful. I can only sigh. Microsoft's cloning ability is so powerful. Since the introduction of MVC in Java, it has been sought after by many software development engineers. Microsoft is naturally not to be outdone. It also launched MVC2 in 2010, making the project hierarchy clearer and making collaborative development better. , VS2010 defaults to .Net Framework 4 and is compatible with all previous versions.