ASP.net与AntiXss Lib中的反XSS支持 [英] Anti XSS support in ASP.net Vs AntiXss Lib

问题描述

ASP.net提供的XSS(跨站点脚本)支持与AntiXss有何不同?AntiXss是一个Microsoft库，用于针对XSS保护您的站点.两种API看上去几乎相似，并且看起来可以通过在代码文件中执行find replace轻松地将它们从一种切换到另一种.

How does the XSS (Cross Site Scripting) support provided by ASP.net differs from AntiXss. AntiXss is a microsoft library for securing your site against XSS. Both API looks almost similar and it looks that they can easily be switched from one to another by doing find replace in your code files.

哪个提供针对XSS的更多安全性?是否可以使用ASP.net提供的内在支持?

Which one provides more security against XSS? Is it advicable to use the intrinsic support provided by ASP.net?

推荐答案

有几个区别.首先，Microsoft AntiXss 库使用白名单编码，这意味着除已知安全的所有字符外，所有字符均已编码.ASP.NET的标准编码机制是黑名单.例如，对于HTML编码，它仅编码4个字符:< ，> ，& 和"(例如，它不对单引号进行编码.)例如，请参见

There are several differences. First of all the Microsoft AntiXss library uses white list encoding, which means that all characters are encoded, except all characters that are known safe. The standard encoding mechanism of ASP.NET is black list. For HTML encoding for instance, it only encodes 4 characters: <, >, & and " (for instance, it doesn't encode the single quote). Look for instance at this SO answer what can go wrong with this.

另一个区别是，基本的ASP.NET编码(使用 HttpUtility )只能编码HTML en URL. AntiXss 还允许对HTML属性和JavaScript文本进行编码.在标准ASP.NET中，没有安全的方法可以完成此操作.

Another difference is that basic ASP.NET encoding (using the HttpUtility) is only capable of encoding HTML en URLs. AntiXss also allows encoding HTML attributes and JavaScript text. There is no safe way of doing with in standard ASP.NET.

这篇关于ASP.net与AntiXss Lib中的反XSS支持的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！