ASP.Net Core 中的 AntiXSS [英] AntiXSS in ASP.Net Core

问题描述

Microsoft Web 保护库 (AntiXSS) 已终止使用.该页面指出在 .NET 4.0 中，框架中包含了一个 AntiXSS 版本，可以通过配置启用.在 ASP.NET v5 中，基于白名单的编码器将是唯一的编码器."

Microsoft Web Protection Library (AntiXSS) has reached End of Life. The page states "In .NET 4.0 a version of AntiXSS was included in the framework and could be enabled via configuration. In ASP.NET v5 a white list based encoder will be the only encoder."

我有一个经典的跨站点脚本场景:一个 ASP.Net Core 解决方案，用户可以在其中使用 WYSIWYG html 编辑器编辑文本.结果显示给其他人看.这意味着，如果用户在保存文本时将 JavaScript 注入到他们提交的数据中，则当其他人访问该页面时，该代码可能会执行.

I have a classic cross site scripting scenario: An ASP.Net Core solution where users can edit text using a WYSIWYG html-editor. The result is displayed for others to see. This means that if users inject a JavaScript into the data they submit when saving the text this code could execute when others visits the page.

我希望能够将某些 HTML 代码(安全代码)列入白名单，但去除不良代码.

I want to be able to whitelist certain HTML-codes (safe ones), but strip out bad codes.

我该怎么做?我在 ASP.Net Core RC2 中找不到任何方法来帮助我.这个白名单编码器在哪里?我如何调用它?例如，我需要清理通过 JSON WebAPI 返回的输出.

How do I do this? I can't find any methods in ASP.Net Core RC2 to help me. Where is this white list encoder? How do I invoke it? For example I would need to clean output being returned via JSON WebAPI.

推荐答案

dot.net 核心社区有一个关于此的 wiki.

The dot.net core community has a wiki on this.

您可以在控制器级别(在构造函数中)注入编码器或引用 System.Text.Encodings.Web.

You can inject encoders at a controller level (in the constructor) or reference System.Text.Encodings.Web.

可以在此处查看更多信息:

More info can be seen here:

https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting

这篇关于ASP.Net Core 中的 AntiXSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！