JavaScript注入攻击prevention的文本框 [英] Javascript injection attack prevention for textboxes

问题描述

说我有一个文本框和一个属性来获取和设置其值：

say I have a textBox and a property to get and set its value:

public SomeText
{
   get { return HttpUtility.HtmlEncode(textBox.Text); }
   set { textBox.Text = HttpUtility.HtmlEncode(value); }
}

我用HtmlEn code至prevent JavaScript注入攻击。经过考虑之后，虽然我想我只需要在吸气的HtmlEn code。设定器仅用于由系统，不能由外部用户访问。

I have used HtmlEncode to prevent Javascript injection attacks. After thinking about it though I'm thinking I only need the HtmlEncode on the getter. The setter is only used by the system and can not be accessed by an external user.

这是正确的？

推荐答案

是的。你只需要带您从用户接受code字符串，你有你的页面中显示。

Yes. You only need to encode strings that you have accepted from the users and you have to show inside your pages.

这篇关于JavaScript注入攻击prevention的文本框的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！