Reasons for the failure of verification mechanism under the framework of ES0en.net4.0 and its treatment

ASP. NET request validation provides security for our application and protects our site from XSS cross-site scripting attacks. But sometimes, for example, we need to use an online text editor like Ckeditor to let the user enter 1 bit of HTML text, in ASP.NET 2.0, by setting validateRequest="false" in web.config. Or in MVC, we can disable it by setting [ValidateRequest(false)] on Controller or Action. But in the framework of ES17en.NET 4.0, you will find that even if you do this, you will still be prompted with such an exception as "A potentially dangerous Request.Form value detected the client". What's going on here?

The original asp.es33EN4.0 application life cycle has changed. In previous versions of ES34en.NET, request validation was enabled by default, but it only works for page requests (request.aspx pages) and only when a page is requested. But in ASP. NET 4.0, request validation functions are brought forward to IHttpHandler. BeginRequest before this method is requested, this also means that all enters ASP. NET request channel all HTTP request will be verified the legality of the request content, including some custom HttpHandler, WebService request, even using a custom Http Module customization request handler.

The result of the request validation processing being pulled forward is that our setting of ValidateRequest=false on the page, or in Controller, will fail to prevent the application from validating the input to the request. This is because the validator cannot tell whether the requested page has disabled the validation request because HttpHandler has not been instantiated. And in ES54en.es55EN4.0, I was not given a place to disable this validation. For compatibility, however, ES56en.NET allows us to validate the request behavior by configuring ASP.NET 2.0 in ES58en.config: < httpRuntime requestValidationMode / = "2.0" > That's it.