在ASP.NET脚本漏洞 - 是否设置validateRequest ="真"好建议? [英] Script exploits in ASP.NET - Is setting validateRequest="true" good advice?
问题描述
我正在阅读有关 ASP.NET脚本侵入,一的建议是:结果(重点是我的;而建议是#3部分有效防范脚本漏洞
在网页)
I was reading about ASP.NET Script Exploits, and one of the suggestions is:
(emphasis is mine; and the suggestion is #3 in section "Guarding Against Scripting Exploits
" in the web page)
如果你希望你的应用程序接受一些HTML(例如,从用户的一些格式化指令),你应该连接code。在客户端HTML之前被提交到服务器。有关详细信息,请参阅如何通过应用HTML编码字符串防止脚本侵入在一个Web应用程序
If you want your application to accept some HTML (for example, some formatting instructions from users), you should encode the HTML at the client before it is submitted to the server. For more information, see How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings.
这不是非常糟糕的建议的?我的意思是,剥削者可通过卷曲或类似的东西发送HTML,然后将HTML将发送未连接coded到服务器,它不能很好的(?)
Isn't that really bad advice? I mean, an exploiter could send the HTML via curl or something similar, and the HTML would then be sent un-encoded to the server, which can't be good(?)
我失去了一些东西在这里或错误间preting的声明?
Am I missing something here or mis-interpreting the statement?
推荐答案
微软是没有错的句子,但在另一方面还远远没有完成,他们的判决是危险的。
Microsoft is not wrong in their sentence, but on the other hand far from complete, and their sentence is dangerous.
由于在默认情况下,validateRequest ==真的,你的确应该EN code,以便他们进入摆在首位和旁路validateRequest服务器在客户特殊的HTML字符。
Since by default, validateRequest == true, you indeed should encode special HTML characters in the client in order for them to get into the server in the first place and bypass validateRequest.
但是 - 他们应该强调的是,这是肯定的不是替代的服务器端筛选和验证
But - they should have emphasized that this is certainly not a replacement for server side filtering and validation.
特别是,如果你必须接受HTML,最强的建议是使用白名单,而不是黑过滤(即允许非常特殊的HTML标签,并消除所有的其他人)。 微软AntiXSS库使用强烈建议强大的用户输入过滤。这远远超过重新发明轮子自己。
Specifically, if you must accept HTML, the strongest advice is to use white-listing instead of black filtering (i.e. allow very specific HTML tags and eliminate all the others). Use of Microsoft AntiXSS library is highly recommended for strong user input filtering. It's far better than "re-inventing the wheel" yourself.
这篇关于在ASP.NET脚本漏洞 - 是否设置validateRequest ="真"好建议?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
