问题描述
我正在将一个旧的经典 asp 网站转换为 asp.net.
I'm converting an old classic asp website to asp.net.
该应用程序基本上是针对给定用户集的工具集的扩展,但它由外部供应商托管.
The application is basically an extension of a tool set for a given set of users but it is hosted at an external vendor.
为了执行到这个应用程序的无缝传输,它会发布一些 xml 数据,这些数据会触发潜在危险的 Request.Form 值".我知道我可以关闭 validateRequest 标志,但我不想这样做.
To perform a seamless transfer to this application it POSTS some xml data which is firing off the "potentially dangerous Request.Form value". I know I could turn off the validateRequest flag but I would rather not do this.
我已经编写了一个 httpmodule,它获取这些数据并使用它来验证用户,是否可以使用相同的模块或不同的模块来删除之前发布数据中的这些坏"值数据已验证"?
I have written an httpmodule which takes this data and uses it to authenticate the user, is it possible to use the same module, or a different module for that matter, to remove these "bad" values in the post data before that data is "validated"?
否则,如果这些想法都不起作用,我愿意接受其他建议.
Otherwise if none of these ideas work, I am open to other suggestions.
推荐答案
是的.以下类实现 IHttpModule 接口并注册和事件,这些事件将在 HttpRequestValidationException 检查发生之前触发.它检查请求是 POST 并且testinput"不为空,然后对其进行 HTML 编码.该类需要在您的 Web.config 中注册为 httpModule.
Yes. The following class implements the IHttpModule Interface and registers and event that will fire before the HttpRequestValidationException check occurs. It checks that the request is a POST and that "testinput" is not null and then HTML Encodes it. The Class needs to be registered in your Web.config as an httpModule.
类...
using System;
using System.Collections.Specialized;
using System.Reflection;
using System.Web;
public class PrevalidationSanitizer : System.Web.IHttpModule
{
private HttpApplication httpApp;
public void Init(HttpApplication httpApp)
{
this.httpApp = httpApp;
httpApp.PreRequestHandlerExecute += new System.EventHandler(PreRequestHandlerExecute_Event);
}
public void Dispose() { }
public void PreRequestHandlerExecute_Event(object sender, System.EventArgs args)
{
NameValueCollection form = httpApp.Request.Form;
Type type = form.GetType();
PropertyInfo prop = type.GetProperty("IsReadOnly", BindingFlags.Instance
| BindingFlags.IgnoreCase | BindingFlags.NonPublic | BindingFlags.FlattenHierarchy);
prop.SetValue(form, false, null);
if (httpApp.Request.RequestType == "POST" != null
&& httpApp.Request.Form["testinput"])
httpApp.Request.Form.Set("testinput"
, httpApp.Server.HtmlEncode(httpApp.Request.Form["testinput"]));
}
}
web.config 条目...
web.config entry...
<system.web>
<httpModules>
<add type="PrevalidationSanitizer" name="PrevalidationSanitizer" />
...
这篇关于是否可以使用 HttpModule 删除一些帖子数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!