潛在的危險請求，隱藏錯誤

Question

我想檢查我的MVC應用程序的安全性。當我嘗試輸入HTML或JavaScript時，會出現一個錯誤：潛在的危險請求。

Server Error in '/' Application. 
A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht..."). 
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133. 

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TEKST="<html><b>joo</b></ht..."). 

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. 

這看起來不錯，不可能注入H​​TML或JavaScript。但是我不喜歡的東西，用戶會看到我的版本的ASP.net和一切。

如何刪除此錯誤並僅給出以下消息：我不喜歡您的輸入或其他內容。

我試圖做到這一點，但是這是行不通的：

[Authorize] 
public ActionResult Create(int album_id) 
{ 
    ViewBag.album_id = album_id; 
    return View(); 
} 

[Authorize] 
[HttpPost] 
public ActionResult Create(REVIEW model) 
{ 
    string txt = null; 
    try 
    { 
     txt = model.TEKST; 
    } 
    catch (System.Web.HttpRequestValidationException) 
    { 
     txt = "errorrr"; 
    } 


    return RedirectToAction("Add", new { tekst = txt, album_id=model.ALBUM_ID}); 
} 

SOLUTION： 見Nudier的回答

Answer 1

您可以通過以下方式

1處理您的應用程序中的錯誤。在您的應用程序的Web.Config文件中設置CustomErros模式部分

這是模式屬性可以接受的選項列表。

RemoteOnly：顯示遠程用戶的一般錯誤頁面。針對 本地請求（來自當前計算機的請求）顯示豐富的錯誤頁面。這是 的默認設置。

Off：無論請求的來源如何，所有用戶都會顯示豐富的錯誤頁面。 此設置在許多開發場景中很有用，但不應在 已部署的應用程序中使用。

查看：顯示所有用戶的一般錯誤頁面，無論 請求的來源如何。這是最安全的選擇。

 <System.Web> 
     //map all the erros presented in the application to the error.aspx webpage 
    <customErrors mode="RemoteOnly" defaultRedirect ="~/error.aspx" /> 
    <System.Web> 

2. throught Global.asax文件中的Application_Error功能

 //handle all the errors presented in the application 
     void Application_Error(object sender, EventArgs e){ 
    Server.Tranfer("error.aspx"); 
    } 

我希望這對你的作品。