只允许某些HTML标签的用户输入 [英] Allowing only certain HTML tags as user input
问题描述
我的网站允许网站用户写博客,帖子
My site allows site-users to write blog-posts
class BlogPost
{
[AllowHtml]
public string Content;
}
该网站使用的是MVC5互联网应用程序模板,并使用引导3为它的CSS创建。所以我决定使用 http://jhollingworth.github.io/bootstrap-wysihtml5 照顾所有的富文本编辑器中的JavaScript部分。
The site is created using a MVC5 Internet application template and uses bootstrap 3 for it's CSS. So I decided to use http://jhollingworth.github.io/bootstrap-wysihtml5 to take care of all the JavaScript Part of a Rich Text Editor.
它的工作原理就像一个魅力。但为了使POST发生,我不得不把 [AllowHtml] 属性添加为code以上。所以现在我很害怕危险的东西,可以进入数据库,并在转显示给所有用户。
It works like a charm. But in order to make the POST happen, I had to add the [AllowHtml] attribute as in the code above. So now I'm scared of dangerous stuff that can get into the database and be in-turn displayed to all users.
我试着给值如<脚本>警报(怎么了?)< / SCRIPT>在形式等,它似乎是很好.. 。被显示的文本完全相同的方式(<脚本> 成为&放大器; LT;脚本&放大器; GT; 。但是,这种转换似乎被我用JavaScript的插件来完成。
I tried giving values like <script>alert("What's up?")</script> etc in the form and it seemed to be fine... the text was displayed exactly the same way (<script> became <script>. But this conversion seemed to be done by the javascript plugin I used.
所以我用小提琴手来构成相同的脚本标签,这一次的POST请求,该页面实际执行JavaScript的code。
So I used fiddler to compose a POST request with the same script tag and this time, the page actually executed the JavaScript code.
有什么办法,我可以找出像&LT脆弱的输入;脚本&GT; ,甚至&LT; A HREF =JavaScript的:some_ code&GT;链接&LT; / A&GT; ...
Is there any way I can figure out vulnerable input like <script> and even <a href="javascript:some_code">Link</a>...?
推荐答案
不幸的是,你必须自己清理的HTML。看到这些人们是如何做的:
Unfortunately, you have to sanitize the HTML yourself. See these on how people did it:
- 如何从MCE净化输入在ASP.NET? - 使用HTML敏捷性包白名单
- .NET HTML卫生丰富HTML输入 - 使用HTML敏捷性包黑名单
- How to sanitize input from MCE in ASP.NET? - whitelist using Html Agility Pack
- .NET HTML Sanitation for rich HTML Input - blacklist using Html Agility Pack
在接受HTML的替代方法是接受降价或的 BB code 代替。两者被广泛使用(降价所使用计算器!)和消除需要消毒的输入端。有可用的丰富的编辑了。
An alternative to accepting HTML is to accept markdown or BBCode instead. Both of them are widely used (markdown is used by stackoverflow!) and eliminate the need to sanitize the input. There are rich editors available too.
修改
我发现,微软的Web防护库可以处理HTML输入
通过AntiXss.GetSafeHtml和AntiXss.GetSafeHtmlFragment。
文档是真穷,但并好像你不能配置哪些标签是有效的。
I found that Microsoft Web Protection Library can sanitize HTML input through AntiXss.GetSafeHtml and AntiXss.GetSafeHtmlFragment. Documentation is really poor though and seems like you can't configure which tags are valid.
这篇关于只允许某些HTML标签的用户输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
