ValidateInput(false)vs AllowHtml [英] ValidateInput(false) vs AllowHtml
问题描述
我有一个用于创建备忘录的表单,为此,我正在使用RTF编辑器来提供一些样式,这将创建html标签以应用样式.当我发布该文本时,mvc会抛出错误以防止潜在危险的脚本,因此我必须专门允许它.
I have a form that is used to create a memo, to do that I am using a rich text editor to provide some styling, this creates html tags in order to apply style. When I post that text, the mvc throws an error to prevent potentially dangerous scripts, so I have to specifically allow it.
我发现了执行此操作的两种方法,一种方法是用[ValidateInput(false)]装饰控制器方法,另一种方法是用[AllowHtml]装饰ViewModel属性.对我来说,[AllowHtml]看起来更好,但是我只发现该方法使用了1次,而[ValidateInput(false)]似乎是首选方法.
I have found 2 ways of doing this, one is to decorate the controller method with [ValidateInput(false)] and the other is to decorate the ViewModel attribute with [AllowHtml]. To me, [AllowHtml] looks much nicer, but I have only found that approach used 1 time and the [ValidateInput(false)] seems to be the preferred way.
我应该使用哪种方法,两者之间有什么区别?
Which method should I use and what are the differences between the two?
推荐答案
ValidateInput和AllowHTML与 XSS直接连接安全问题.
ValidateInput and AllowHTML are directly connected with XSS security issues.
因此,让我们首先尝试了解XSS.
So let us first try to understand XSS.
XSS(跨站点脚本)是一种安全攻击,攻击者在进行数据输入时会注入恶意代码.现在好消息是,默认情况下,MVC中禁止使用XSS.因此,如果有人尝试发布JavaScript或HTML代码,则他会因以下错误而着陆.
XSS (cross-site scripting) is a security attack where the attacker injects malicious code while doing data entry. Now the good news is that XSS is by default prevented in MVC. So if any one tries to post JavaScript or HTML code he lands with the below error.
但是在实时情况下,有些情况下必须允许HTML,例如HTML编辑器.因此,对于这种情况,您可以使用以下属性装饰您的操作.
But in real time there are scenarios where HTML has to be allowed, like HTML editors. So for those kind of scenarios you can decorate your action with the below attribute.
[ValidateInput(false)]
public ActionResult PostProduct(Product obj)
{
return View(obj);
}
但是,等等,这里有问题.问题是我们允许HTML进行完整的操作,这可能很危险.因此,如果我们可以在字段或属性级别上进行更精细的控制,从而真正创建一个整洁,专业的解决方案.
But wait, there is a problem here. The problem is we have allowed HTML on the complete action which can be dangerous. So if we can have more granular control on the field or property level that would really create a neat, tidy and professional solution.
那是AllowHTML有用的地方.您可以在下面的代码中看到我在产品类属性级别上修饰了"AllowHTML".
That’s where AllowHTML is useful. You can see in the below code I have decorated "AllowHTML" on the product class property level.
public class Product
{
public string ProductName { get; set; }
[AllowHtml]
public string ProductDescription { get; set; }
}
因此,总结"ValidateInput"可将脚本和HTML张贴在操作级别,而"AllowHTML"则更精细.
So summarizing "ValidateInput" allows scripts and HTML to be posted on action level while "AllowHTML" is on a more granular level.
我建议您更多地使用"AllowHTML",直到您完全确定整个操作都需要裸露为止.
I would recommend to use "AllowHTML" more until you are very sure that the whole action needs to be naked.
I would recommend you to read the blog post Preventing XSS Attacks in ASP.NET MVC using ValidateInput and AllowHTML which demonstrates step by step about the importance of these two attributes with an example.
这篇关于ValidateInput(false)vs AllowHtml的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
