在文件中强化跨站点脚本 [英] Fortify Cross Site Scripting in File

问题描述

我在控制器中有以下代码. 参数base64String，fileName是从浏览器发送的.

I have the below code in the controller. The parameters base64String, fileName are being sent from the browser.

var fileContent = Convert.FromBase64String(base64String);
return File(fileContent, contentType, fileName);

我该如何解决XSS威胁?

How do I address the XSS threat here?

以上代码基于此处推荐的修复程序 Kendo UI网格导出到Excel/PDF无效在IE9上

The above code is based on a fix recommended here Kendo UI Grid Export to Excel / PDF not working on IE9

推荐答案

我假设您没有将HTML返回给用户(您正在返回PDF或Excel文件，或者由浏览器下载而不是用于渲染的其他内容) ).

I'm assuming you are not returning HTML to your users (you are returning PDFs or Excel files, or something else for download by the browser instead of for render).

一般准则如下:

• 设置正确的Content-Type标头.

设置以下响应标头:X-Content-Type-Options: nosniff.诸如 Internet Explorer的浏览器将尝试自动检测内容类型，而忽略您的内容类型刚刚设置.

Set the following response header: X-Content-Type-Options: nosniff. Browsers such as Internet Explorer will try and auto detect the content type and ignore the one you've just set.

设置Content-Disposition标头，以便浏览器下载文件而不是显示文件:Content-Disposition: attachment; filename="bar.pdf"

Set the Content-Disposition header so the browser downloads the file rather than displaying it: Content-Disposition: attachment; filename="bar.pdf"

按照上述步骤操作，应确保浏览器未执行文件中包含的任何脚本代码.请注意， IE(再次！)有时可以使用XML处理脚本文件，因此您应该对此进行测试.

Following the above should ensure that any script code contained in the file is not executed by your browser. Be aware that IE (again!) can sometimes process script in XML files, so you should test for this.

这篇关于在文件中强化跨站点脚本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！