默认情况下,ASP.NET MVC 4是否需要额外的XSS处理 [英] Does ASP.NET MVC 4 require extra XSS handling by default
问题描述
默认情况下,ASP.NET MVC 4忽略帖子消息中的HTML输入.如果我不明确接受HTML,我需要编写任何代码来保护自己的网站免受XSS攻击吗?我不会使用[AllowHtml]
或[ValidateInput(false)]
.我只是想找出是否应该担心XSS攻击.我正在使用Razor作为视图引擎.
ASP.NET MVC 4 by default ignores HTML input in a post message. If I don't explicitly accept HTML, is there any code I need to write to defend my site against XSS attacks? I won't be using [AllowHtml]
or [ValidateInput(false)]
. I'm just trying to find out if I should worry about XSS attacks or not. I'm using Razor as my view engine.
推荐答案
我发现 Amir Ismail 一个解决您所有问题的方法. http://miroprocessordev.blogspot.com/2012/03/save-aspnet-mvc-application-against.html
I found an excellent blog post by Amir Ismail that addresses all of your concerns. http://miroprocessordev.blogspot.com/2012/03/save-aspnet-mvc-application-against.html
总结他写的东西.
除非使用Html.Raw
,否则剃刀默认编码.
Html.AntiForgeryToken()
可用于创建随机令牌,以防止CSRF,但是它要求用户接受Cookie.
To summarize what he writes.
Razor is encoded default unless Html.Raw
is used.
Html.AntiForgeryToken()
can be used to create a random token that will protect against CSRF however it requires the user to accept cookies.
这篇关于默认情况下,ASP.NET MVC 4是否需要额外的XSS处理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!