潜在的危险请求,隐藏错误

我试图检查我的MVC应用程序的安全性。 当我尝试输入html或javascript时,它会出错:潜在的危险请求。

Server Error in '/' Application. A potentially dangerous Request.Form value was detected from the client (TEKST="joo</ht..."). Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: . After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the  configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133. Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (TEKST="joo</ht..."). Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. 

这看起来不错,无法注入HTML或JavaScript。 但是我不喜欢的东西,用户会看到我的ASP.net版本和一切。

如何删除此错误并仅提供以下消息:我不喜欢您的输入或其他任何内容。

我试过这样做,但这不起作用:

 [Authorize] public ActionResult Create(int album_id) { ViewBag.album_id = album_id; return View(); } [Authorize] [HttpPost] public ActionResult Create(REVIEW model) { string txt = null; try { txt = model.TEKST; } catch (System.Web.HttpRequestValidationException) { txt = "errorrr"; } return RedirectToAction("Add", new { tekst = txt, album_id=model.ALBUM_ID}); } 

解决方案:见Nudier的答案

您可以通过以下方式处理应用程序中的错误

1.在应用程序的Web.Config文件中设置CustomErros模式部分

这是mode属性可以接受的选项列表。

RemoteOnly:为远程用户显示通用错误页面。 显示本地请求(从当前计算机发出的请求)的丰富错误页面。 这是默认设置。

关:无论请求的来源如何,都会为所有用户显示丰富的错误页面。 此设置在许多开发方案中很有用,但不应在已部署的应用程序中使用。

On:显示所有用户的通用错误页面,无论请求的来源如何。 这是最安全的选择。

   //map all the erros presented in the application to the error.aspx webpage   

2.通过Application_Error函数中的Global.asax文件

  //handle all the errors presented in the application void Application_Error(object sender, EventArgs e){ Server.Tranfer("error.aspx"); } 

我希望这适合你。