问题
I've tried looking at the Microsoft site and Googling this but nobody seems to have an answer aside from the < and the >. There's more to it than that though. I've noticed that the HTML entity starter of &# is invalid. Is there anything else? Does anyone have a complete list?
Thanks!
回答1:
List of characters by framework version
1.1 Framework Validation:
* &# * <alpha, <!, </ * script * On handlers like onmouseenter, etc… * expression( * Looks for these starting characters (‘<’, ‘&’, ‘o’, ‘O’, ‘s’, ‘S’, ‘e’, ‘E’)This is obviously a pretty strict list of items that would trigger a validation error. In the 2.0 Framework, Microsoft decided to loosen the restrictions on this quite a bit. Below is the list of validation checks in the 2.0 Framework.
2.0 Framework Validation:
* &# * <alpha, <!, </, <? * Looks for these starting characters (‘<’, ‘&’)
回答2:
I dont have a complete list, but why do you need it? You can set ValidateRequest=false and prevent for Script Injection for yourself.
Maybe you will find the list here: Allowing percents, angle-brackets, and other naughty things in the ASP.NET/IIS Request URL
来源:https://stackoverflow.com/questions/3118876/what-characters-or-character-combinations-are-invalid-when-validaterequest-is-se