如何正确消毒的内容与AntiXss库? [英] How to properly sanitize content with AntiXss Library?
问题描述
我有一个简单的论坛程序,当有人发布的任何内容,我做的:
I have a simple forums application, when someone posts any content, i do:
post.Content = Sanitizer.GetSafeHtml(post.Content);
现在,我不知道如果我做错了什么,或者是怎么回事,但它不允许几乎没有HTML。即使是简单的< B>< / B>
是太多了。所以我想这工具是完全无用的。
Now, i am not sure if i am doing something wrong, or what is going on, but it does not allow almost no html. Even simple <b></b>
is too much for it. So i guess that tool is totally useless.
现在我的问题:谁能告诉我,我应该如何清理我的用户输入,从而使他们可以张贴一些图像(&LT; IMG&GT;
标签),并使用大胆的重点等?
Now my question: Can anyone tell me how should i sanitize my users inputs so that they can post some images(<img>
tags) and use bold emphasis etc?
推荐答案
似乎很多人觉得这是消毒剂的而没用。除了使用消毒液,只需连接code一切,去code安全件返还的:
It seems that many people find the sanitizer rather useless. Instead of using the sanitizer, just encode everything, and decode safe parts back:
private static readonly Tuple<string, string>[] WhiteList = (new string[]
{
"<b>", "</b>", "<i>", "</i>"
})
.Select(tag => Tuple.Create(AntiXss.Encoder.HtmlEncode(tag), tag))
.ToArray();
public static string Sanitize(string html)
{
var safeHtml = new StringBuilder(AntiXss.Encoder.HtmlEncode(html));
for (int index = 0; index < WhiteList.Length; index++)
{
string encodedTag = WhiteList[index].Item1;
string decodedTag = WhiteList[index].Item2;
safeHtml.Replace(encodedTag,decodedTag);
}
return safeHtml.ToString();
}
请注意,这几乎是不可能到c的 IMG 标记安全德$ C $,因为有非常简单的方法,攻击者滥用此标记。例如:
Please note that it's nearly impossible to safely decode an IMG tag, since there are really simple ways for an attacker to abuse this tag. Examples:
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
看看这里更多的是彻底的 XSS小抄
这篇关于如何正确消毒的内容与AntiXss库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!