自动HtmlEn code在ASP.NET [英] Automatically HtmlEncode in ASP.NET
问题描述
on Rails的撒娇由红宝石(3),我希望我所有的HTML输出自动地连接codeD。
Spoiled by Ruby on Rails (3), I expect all my HTML output to be automatically encoded.
我问这个<一个href=\"http://stackoverflow.com/questions/7136864/script-exploits-in-asp-net-is-the-advice-good/7136904#7136904\">question有关脚本利用早一些,我现在想知道,有没有一些设置,插件或扩展ASP.NET会自动导致所有HTML是 HtmlEn code 编辑或做我必须非常小心,并确保我自己?
I asked this question about script exploits a bit earlier and am now wondering, is there some setting, plugin or extension for ASP.NET that will automatically cause all HTML to be HtmlEncode'ed or do I have to be really careful and ensure that on my own?
推荐答案
各种ASP.NET控件带HtmlEn code code HTML自动(和UrlEn code几尽URL编码),但它不具有普遍性。下面是控制和什么编码(如果有的话),他们自动地做一个列表。我不知道这是否对.NET 4.0或不更新:
Various ASP.NET controls automatically encode HTML with HtmlEncode (and a few do URL encoding with UrlEncode), but it's not universal. Here's a list of controls and what encoding (if any) they do automatically. I don't know if it's updated for .NET 4.0 or not:
<一个href=\"http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-08-91-89-96/asp.net_5F00_control_5F00_encoding.htm\"相对=nofollow>哪些ASP.NET自动控制恩codeS?(该链接会提示你保存文档)
Which ASP.NET Controls Automatically Encodes? (this link will ask you to save the document)
这是上面的文件是从博客:
This is the blog that the above document is from:
<一个href=\"http://blogs.msdn.com/b/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-en$c$cs.aspx\" rel=\"nofollow\">http://blogs.msdn.com/b/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-en$c$cs.aspx
据最初发布于2008年9月,因此它可能是目前的2.0,但不一定是4.0。仍然是一个有用的资源有,不过,海事组织。
It was originally posted in Sep 2008, so it's probably current for 2.0, but not necessarily 4.0. Still a useful resource to have, though, IMO.
您也应该看看微软反跨网站脚本库3.1 。
正如balexandre指出的那样,现在出现了ANIT-XSS库是开源的Web保护库的一部分:
As pointed out by balexandre, it appears the Anit-XSS library is now part of the open source Web Protection Library:
此外, OWASP 是安全信息的好资源,他们有一个企业安全API项目(ESAPI)即在各种编程语言中使用(在不同程度上)。在.NET一个尚未完成,我相信。
Also, OWASP is a good resource for security information, and they have an Enterprise Security API project (ESAPI) that is available (to varying degrees) in various programming languages. The .NET one is not complete yet, I believe.
这篇关于自动HtmlEn code在ASP.NET的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
