System.Web.HttpContext.Current.Response.Write("location.reload()" & vbCrLf)
System.Web.HttpContext.Current.Response.Write("location.href=location.href" & vbCrLf)
<link rel="stylesheet" type="text/css" href="style.css" media="screen" />
<script type="text/javascript" src="js/respond.min.js"></script>
<system.web>
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
後者比較算是正解 基本上處理掉 <script 我想 XSS 就解決一大半
在Web.config中<system.web>中加入
這段 <httpRuntime requestValidationMode="2.0" />就ok了!!!
造成的原因
是.NET 4.0跟2.0版本在請求驗證的定義不同:
ASP.NET Request Validation 請求驗證是ASP.NET提供來保護XSS攻擊的一項功能
在2.0 僅針對.aspx及class進行驗證…
但到了4.0,請求驗認範圍擴大到所有的請求…
而不是只有.aspx,還包含WebService呼叫以及自訂的http Handlers,都會去驗證http請求的內容…
Sub SendMail_godaddy(ByVal Subject As String, ByVal Body As String, ByVal FromMail As String, ByVal ToMail As String)
Dim objMail As New System.Web.Mail.MailMessage()
objMail.From = FromMail
objMail.To = ToMail
objMail.Subject = Subject
objMail.BodyFormat = Mail.MailFormat.Html
objMail.Priority = Mail.MailPriority.High
objMail.Body = Body
System.Web.Mail.SmtpMail.SmtpServer = UW.Mail.SMTP_SERVER_NAME
System.Web.Mail.SmtpMail.Send(objMail)
End Sub
'更新
If UW.WU.IsNonEmptyFromQueryStringOrForm("Refresh") Then
System.Web.HttpContext.Current.Cache.Remove(CacheName)
End If
'快取部分
If obj Is Nothing Then
Dim SQL As String = ""
SQL = "select * from Product with (nolock)"
obj = UW.SQL.DTFromSQL(SQL)
Dim AC As New AggregateCacheDependency
Dim DepArray() As CacheDependency = { _
New SqlCacheDependency(UW.SQL.sqlCacheDependencyName, "Product"), _
New SqlCacheDependency(UW.SQL.sqlCacheDependencyName, "Product_Category") _
}
AC.Add(DepArray)
Dim FD As New CacheDependency(UW.Template.TemplateRoot & "2013UI\Product\DirectBuyAllProduct.html")
AC.Add(FD)
System.Web.HttpContext.Current.Cache.Insert(CacheName, obj, AC)
End If