为什么不是ValidateRequest ="真"够XSS prevention? [英] Why isn't ValidateRequest="true" enough for XSS prevention?
问题描述
在第1步中的如何调:prevent跨站点脚本ASP.NET该是说,你应该不依赖于ASP.NET请求验证。把它当作除了你自己输入验证一个额外的precautionary措施。
In the notes for Step 1 in the "How To: Prevent Cross-Site Scripting in ASP.NET" it is stated that you should "not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation."
为什么不是足够?
推荐答案
就在两个提示:
-
您的应用程序可能会输出使用ASP.NET表单被输入的不仅是数据。想想Web服务,RSS源,其他数据库,信息来自用户上传的提取等。
Your application might output not only data that was entered using your ASP.NET forms. Think of web services, RSS feeds, other databases, informations extracted from user uploads etc.
有时需要禁用默认的(有效的,但过于简单的)请求验证,因为你需要接受的尖括号中的形式。想想一个所见即所得的编辑器。
Sometimes it's necessary to disable the default (effective but overly simple) request validation because you need to accept angle brackets in your forms. Think of a WYSIWYG editor.
这篇关于为什么不是ValidateRequest ="真"够XSS prevention?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
