要HTMLEN code或不HTMLEN Web表单（asp.net VB）在code用户输入 [英] To HTMLENCODE or not to HTMLENCODE user input on web form (asp.net vb)

问题描述

我有很多PARAMS弥补例如插入表格：

I have many params making up an insert form for example:

x.Parameters.AddWithValue("@city", City.Text)

我今天早上在网站上失败的XSS攻击，所以我想反正以加强保安措施....

I had a failed xss attack on the site this morning, so I am trying to beef up security measures anyway....

我应该将我的输入PARAMS这样？

Should I be adding my input params like this?

x.Parameters.AddWithValue("@city", HttpUtility.HtmlEncode(City.Text))

还有什么我应该考虑避免攻击？

Is there anything else I should consider to avoid attacks?

推荐答案

不要带code输入。做EN code输出。在未来的某个时候，你可能会决定要使用相同的数据生成PDF或Word文档（或别的东西），此时你不会希望它是HTML。

Don't encode input. Do encode output. At some point in the future, you might decide you want to use the same data to produce PDF or a Word document (or something else), at which point you won't want it to be HTML.

当您接受数据，它只是数据。

When you are accepting data, it is just data.

当要插入数据到数据库中，它需要转换为有意义的数据库

When you are inserting data into a database, it needs to be converted to make sense for the database.

当您正在将数据插入到一个HTML文件，它需要转换为有意义的HTML

When you are inserting data into an HTML document, it needs to be converted to make sense for HTML.

...等

这篇关于要HTMLEN code或不HTMLEN Web表单（asp.net VB）在code用户输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！