为什么标号x = txtName.Text;谈到下的XSS攻击而这里什么是prevention? [英] Why label x = txtName.Text; comes under XSS attack and what is the prevention here?
问题描述
我有以下的code:
标签X = txtName.Text;
在安全团队分析了DLL他们说,这是可能执行上述code XSS攻击。我知道,文本框文本
属性并不prevent XSS攻击,所以我应该怎么办?
将作如下修正解决问题?
标签X = Server.HtmlEn code(txtName.Text);
我假设你是在谈论一个WebForms的的 标签
- (!真正的后code),它不是来自这个问题明确
这是与ASP.NET的WebForms的设计有问题。许多元素有一个名为文本
属性,但属性确实根据元件不同的事情。
您希望,在控制设置文本
将设置它的纯文本内容。这个安全操作的名称是似乎意味着什么。那就是这些控件的情况:
- 文本框
- 按钮
- 的ImageButton
- 列表项
不幸的是,很多其他的控件,名称相同的属性实际上是设置元素中的 HTML标记的。所以,如果你有一个文本字符串< B>
在里面,你会得到一些大胆的文本,而不是信 B
在一些尖括号。如果文本具有字符串,例如<脚本方式>
在里面,code将在浏览器上执行,导致安全问题
有些不幸的不安全控件是:
- 标签
- 超链接
- 的LinkButton
- 单选
- 复选框
- 的TableCell
要安全地使用这些,你必须HTML-CN code的所有内容,你写文本
属性。
最后,还有就是波动左右逢源一个控制:
- 文字
默认情况下此设置HTML标记(嘘!),但如果你设置模式=EN code
属性,它集文字。
这是当然都非常混乱,没有办法设计一个Web框架,但是这就是我们有什么的工作。
I have the following code:
label x = txtName.Text;
When the security team analyzed the dll they said it was possible to perform an XSS attack on the above code. I know the textbox Text
property does not prevent an XSS attack, so what should I do now?
Will the following amendment resolve the issue?
label x = Server.HtmlEncode(txtName.Text);
I am assuming you are talking about a WebForms Label
- it is not clear from the question (post real code!)
This is a problem with the design of ASP.NET WebForms. Many elements have a property called Text
, but the property does different things depending on the element.
You would hope that setting Text
on a control would set its plain textual content. This safe operation is what the name would seem to imply. And that is the case on these controls:
- TextBox
- Button
- ImageButton
- ListItem
Unfortunately, on a bunch of other controls, the property of the same name actually sets the HTML markup in the element. So if you have a text string with <b>
in it, you get some bold text instead of the letter b
in some angle brackets. And if the text has strings such as <script>
in it, code will be executed on the browser, resulting in security problems.
Some of these unfortunate unsafe controls are:
- Label
- HyperLink
- LinkButton
- RadioButton
- Checkbox
- TableCell
To use these safely, you must HTML-encode all content you write to the Text
property.
Finally there is one control that swings both ways:
- Literal
By default this sets HTML markup (boo!), but if you set the Mode="Encode"
property, it sets text instead.
This is of course all very confusing and no way to design a web framework, but that's what we've got to work with.
这篇关于为什么标号x = txtName.Text;谈到下的XSS攻击而这里什么是prevention?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!