最終我實現了一個自定義的模型綁定器......這是閱讀本https://weblogs.asp.net/imranbaloch/security-issue-in-asp-net-mvc3-jsonvalueproviderfactory組合,這https://gist.github.com/jamescrowley/b8c0c006e7b00e28cbbf
它修改請求的源(RequestValidationSource.Form),使它看起來像一個形式,因此可以在同一管道中進行驗證。
public class JsonValidatingModelBinder : DefaultModelBinder
{
public override object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
{
var result = base.BindModel(controllerContext, bindingContext);
if (!IsJsonRequest(controllerContext))
{
return result;
}
if (!bindingContext.ModelMetadata.RequestValidationEnabled)
{
return result;
}
if (result != null)
{
EnsureRequestFieldIsValid(controllerContext, result);
}
return result;
}
static void EnsureRequestFieldIsValid(ControllerContext controllerContext, object result)
{
int index;
// abusing RequestValidationSource enum
if (!RequestValidator.Current.InvokeIsValidRequestString(
controllerContext.HttpContext.ApplicationInstance.Context,
result.ToString(), RequestValidationSource.Form, null, out index))
{
throw new HttpRequestValidationException(
"A potentially dangerous value was detected from the client ");
}
}
static bool IsJsonRequest(ControllerContext controllerContext)
{
return controllerContext.HttpContext.Request.ContentType.StartsWith("application/json", StringComparison.OrdinalIgnoreCase);
}
和在Global.asax ...
protected void Application_Start()
{
System.Web.Mvc.ModelBinders.Binders.DefaultBinder = new JsonValidatingModelBinder();
}
[自定義請求驗證](https://msdn.microsoft.com/en-us/library/system.web.util。 requestvalidationsource(v = vs.110).aspx)希望它有幫助 –