只有从IE8潜在危险的Request.Form值危险、Form、Request
我有一个Facebook式的现代化按钮控件,其客户端的标记是这样的:
I have a Facebook-style modern button control whose client side markup looks like:
<button id="ctl00_uxBtn" value="ctl00$uxBtn" name="ctl00$uxBtn type="submit">
<div style="background-image: url("Icons/page_edit.png"); background-position: left center; background-repeat: no-repeat; line-height: 16px; padding: 3px 0pt 3px 22px;">Save Draft</div>
</button>
此按钮正常工作与IE和FF使用Visual Studio 2010的Web服务器,但是当我将应用程序部署到服务器(Windows Server 2008 / IIS 7.0)我收到检测到有潜在危险的Request.Form值错误,但只能用IE浏览器。看来,IE是传递ctl00_uxBtn =&LT; DIV的风格=背景图片:。...标记的Request.Form集合,其中IIS正确地跨$ P $点作为一个潜在的脚本注入漏洞最好的我可以说,FF通过ctl00_uxBtn =ctl00 $ uxBtn,这是完全可以接受的。有没有什么办法来强制IE成更FF-样的行为?我不想禁用请求验证。
This button works fine with both IE and FF using the Visual Studio 2010 web server, but when I deploy the application to the server (Windows Server 2008/IIS 7.0) I get "A potentially dangerous Request.Form value was detected" error, but only with IE. It appears that IE is passing the ctl00_uxBtn="<div style="background-image:..." markup in the Request.Form collection, which IIS correctly interprets as a potential script injection vulnerability. As best I can tell, FF passes ctl00_uxBtn="ctl00$uxBtn" which is perfectly acceptable. Is there any way to force IE into more FF-like behavior? I do not want to disable request validation.
推荐答案
IE坚持之间发送和其中的内容;按钮&GT;和&lt; /按钮&GT;作为按钮的值,并且有没有出现有一种方法来prevent它。因此,我们截取使用onsubmit事件处理程序,例如在客户端请求:
IE insists on sending the content between <button> and </button> as the value of the button, and there does not appear to be a way to prevent it. So, we intercept the request on the client side using an onsubmit event handler as such:
<form id="form1" runat="server" onsubmit="fixModernButton()">
我们的JavaScript函数,然后检查是否浏览器是IE,如果按钮的文字属性以&LT;。如果是这样,这是标记,将导致ASP.Net提高了潜在危险的Request.Form值的错误,所以我们innerHTML属性的值设置为innerText属性的值,然后提交表单。该人士对JavaScript函数是:
Our javascript function then checks if the browser is IE and if the button's innerHTML property starts with "<". If so, it is markup and will cause ASP.Net to raise the "Potentially dangerous Request.Form value" error, so we set the value of the innerHTML property to the value of the innerText property then submit the form. The source for the javascript function is:
function fixModernButton() {
if (navigator.appName === 'Microsoft Internet Explorer') {
if (document.activeElement.innerHTML && document.activeElement.innerHTML.charAt(0) === '<') {
document.activeElement.innerHTML = document.activeElement.innerText;
}
}
document.forms['form1'].submit();
}
