只允许某些 HTML 标签作为用户输入 [英] Allowing only certain HTML tags as user input
问题描述
我的站点允许站点用户撰写博客文章
My site allows site-users to write blog-posts
class BlogPost
{
[AllowHtml]
public string Content;
}
该网站是使用 MVC5 Internet 应用程序模板创建的,并使用 Bootstrap 3 作为其 CSS.所以我决定使用 http://jhollingworth.github.io/bootstrap-wysihtml5 来照顾富文本编辑器的所有 JavaScript 部分.
The site is created using a MVC5 Internet application template and uses bootstrap 3 for it's CSS. So I decided to use http://jhollingworth.github.io/bootstrap-wysihtml5 to take care of all the JavaScript Part of a Rich Text Editor.
它就像一个魅力.但是为了使 POST 发生,我必须像上面的代码一样添加 [AllowHtml]
属性.所以现在我害怕可能进入数据库并依次显示给所有用户的危险内容.
It works like a charm. But in order to make the POST happen, I had to add the [AllowHtml]
attribute as in the code above. So now I'm scared of dangerous stuff that can get into the database and be in-turn displayed to all users.
我尝试在表单中给出像 <script>alert("What's up?")</script>
之类的值,似乎没问题...文本显示准确以同样的方式( 变成了
<script>
.但这种转换似乎是由我使用的 javascript 插件完成的.
I tried giving values like <script>alert("What's up?")</script>
etc in the form and it seemed to be fine... the text was displayed exactly the same way (<script>
became <script>
. But this conversion seemed to be done by the javascript plugin I used.
所以我使用 fiddler 用相同的脚本标签编写了一个 POST 请求,这一次,页面实际上执行了 JavaScript 代码.
So I used fiddler to compose a POST request with the same script tag and this time, the page actually executed the JavaScript code.
有什么方法可以找出易受攻击的输入,例如 甚至
Link
>...?
Is there any way I can figure out vulnerable input like <script>
and even <a href="javascript:some_code">Link</a>
...?
推荐答案
不幸的是,您必须自己清理 HTML.看看人们是如何做到的:
Unfortunately, you have to sanitize the HTML yourself. See these on how people did it:
- 如何在 ASP.NET 中清理来自 MCE 的输入? - 使用 Html Agility Pack 的白名单
- .NET HTML Sanitation for Rich HTML Input - 使用 Html Agility Pack 的黑名单
- How to sanitize input from MCE in ASP.NET? - whitelist using Html Agility Pack
- .NET HTML Sanitation for rich HTML Input - blacklist using Html Agility Pack
接受 HTML 的替代方法是接受 markdown 或 BBCode 代替.它们都被广泛使用(stackoverflow 使用了 Markdown!)并且无需清理输入.还有丰富的编辑器可用.
An alternative to accepting HTML is to accept markdown or BBCode instead. Both of them are widely used (markdown is used by stackoverflow!) and eliminate the need to sanitize the input. There are rich editors available too.
编辑
我发现 Microsoft Web Protection Library 可以清理 HTML 输入通过 AntiXss.GetSafeHtml 和 AntiXss.GetSafeHtmlFragment.不过文档确实很差,似乎您无法配置哪些标签是有效的.
I found that Microsoft Web Protection Library can sanitize HTML input through AntiXss.GetSafeHtml and AntiXss.GetSafeHtmlFragment. Documentation is really poor though and seems like you can't configure which tags are valid.
这篇关于只允许某些 HTML 标签作为用户输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!