自动HtmlEncode在ASP.NET中 [英] Automatically HtmlEncode in ASP.NET
问题描述
我问这个关于脚本漏洞的疑问有点早,我现在想知道,有没有一些设置,插件或ASP.NET扩展,将自动导致所有的HTML都是 HtmlEncode '或者我必须非常小心,并确保我自己? p>
各种ASP.NET控件使用HtmlEncode自动编码HTML(并且使用UrlEncode进行一些URL编码),但不是通用的。这是一个控件列表,它们自动执行什么编码(如果有的话)。我不知道是否为.NET 4.0更新:
哪些ASP.NET控件自动编码?(此链接将要求您保存文档)
这是上述文档来自的博客:
在2008年9月,所以现在可能是2.0,但不一定4.0。仍然是一个有用的资源,虽然,IMO。
你还应该看看 Microsoft反跨站点脚本库3.1 。
正如所指出的通过balexandre,似乎Anit-XSS库现在是开源Web保护库的一部分:
Microsoft Web Protection Library
另外, OWASP 是安全信息的一个很好的资源,它们具有可以使用各种编程语言(不同程度)的Enterprise Security API项目(ESAPI)。我相信.NET一个还不完整。
Spoiled by Ruby on Rails (3), I expect all my HTML output to be automatically encoded.
I asked this question about script exploits a bit earlier and am now wondering, is there some setting, plugin or extension for ASP.NET that will automatically cause all HTML to be HtmlEncode'ed or do I have to be really careful and ensure that on my own?
Various ASP.NET controls automatically encode HTML with HtmlEncode (and a few do URL encoding with UrlEncode), but it's not universal. Here's a list of controls and what encoding (if any) they do automatically. I don't know if it's updated for .NET 4.0 or not:
Which ASP.NET Controls Automatically Encodes? (this link will ask you to save the document)
This is the blog that the above document is from:
http://blogs.msdn.com/b/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx
It was originally posted in Sep 2008, so it's probably current for 2.0, but not necessarily 4.0. Still a useful resource to have, though, IMO.
You should also look at the Microsoft Anti-Cross Site Scripting Library 3.1.
As pointed out by balexandre, it appears the Anit-XSS library is now part of the open source Web Protection Library:
Microsoft Web Protection Library
Also, OWASP is a good resource for security information, and they have an Enterprise Security API project (ESAPI) that is available (to varying degrees) in various programming languages. The .NET one is not complete yet, I believe.
这篇关于自动HtmlEncode在ASP.NET中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
