HTML.Encode()-如何/如何防止ASP .NET中的脚本安全性问题? [英] HTML.Encode() - What/How does it prevent scripting security problems in ASP .NET?
问题描述
在处理用户输入(特别是脚本问题)时,HTML.Encode()为我提供了哪些安全保护?
What security protection does HTML.Encode() afford me when I'm dealing with user input, specifically scripting problems?
推荐答案
请参阅 Server.HTMLEncode
:
HTMLEncode方法应用HTML编码为指定的字符串.这可以作为一种快速的方法编码表单数据和其他客户端在您将其使用之前先请求数据Web应用程序.编码数据转换可能不安全的字符改成它们的HTML编码形式.
The HTMLEncode method applies HTML encoding to a specified string. This is useful as a quick method of encoding form data and other client request data before using it in your Web application. Encoding data converts potentially unsafe characters to their HTML-encoded equivalent.
如果要编码的字符串不是DBCS,HTMLEncode转换字符如下:
If the string to be encoded is not DBCS, HTMLEncode converts characters as follows:
- 小于字符(<)会转换为
& lt;
. - 大于字符(>)转换为
& gt;
. - &字符(&)转换为
&
. - 将双引号字符()转换为
&"
. - 任何大于或等于0x80的ASCII代码字符被转换为
&#< number>
,其中是ASCII字符值.
- The less-than character (<) is converted to
<
. - The greater-than character (>) is converted to
>
. - The ampersand character (&) is converted to
&
. - The double-quote character (") is converted to
"
. - Any ASCII code character whose code is greater-than or equal to 0x80
is converted to
&#<number>
, where is the ASCII character value.
这意味着,如果您要将一些数据转储到请求流中,并且该数据已从用户输入的字段保存到数据库中,则将阻止用户说出他们的名字为:
This means that if you are going to dump some data to the request stream and that data was saved to the database from a user-entered field it will prevent users from being able to say that their first name is:
<script type="text/javascript">
function doSomethingEvil() { /* ... */ }
</script>
在此示例中, Server.HTMLEncode
将对<
,>
和"
字符进行编码离开这个:
In this example, Server.HTMLEncode
would encode the <
, >
, and "
characters leaving this:
<script type="text/javascript">
function doSomethingEvil() { /* ... */ }
</script>
如果在浏览器中呈现,则将如下所示:
which, if rendered in the browser will look like this:
< script type ="文本/javascript">函数doSomethingEvil(){/* ... */}</script>
<script type="text/javascript"> function doSomethingEvil() { /* ... */ } </script>
而不是实际执行.
这篇关于HTML.Encode()-如何/如何防止ASP .NET中的脚本安全性问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!