我正在使用acunetix和以下查询" api/demues?gameid = 1'"()%26%25VATC(9571)"得到以下响应:
{
"status": 400,
"userMessage": [
"There are validation errors"
],
"validationErrors": [
"The value '1'"()&%<acx><ScRiPt >NJMi(9780)</ScRiPt>' is not valid."
]
}
Acunetix检测到这是一个可选的XSS Security问题,我想覆盖验证错误消息,以避免在整个应用程序中避免这种情况。
模型粘合剂消息可以像这样自定义:
services.AddMvcCore().AddMvcOptions(options =>
{
options.ModelBindingMessageProvider.SetNonPropertyAttemptedValueIsInvalidAccessor(s => "The provided value is invalid.");
});
值得补充,粘合剂错误中还有其他3个烤制,这些错误向后显示值:
:options.ModelBindingMessageProvider.SetAttemptedValueIsInvalidAccessor((x, y) => $"The value is not valid for {y}.");
options.ModelBindingMessageProvider.SetNonPropertyAttemptedValueIsInvalidAccessor(x => "The value is not valid.");
options.ModelBindingMessageProvider.SetValueIsInvalidAccessor(x => "The value is invalid.");
options.ModelBindingMessageProvider.SetValueMustNotBeNullAccessor(x => "The value is invalid.");
最好检查当前可用的MSDN模型消息提供商。