＆QUOT;＆LT;＆QUOT;在ASP.NET文本框 - GT＆;怎么能允许吗？ [英] "<" in a text box in ASP.NET --> how to allow it?

问题描述

我有显示，其中包含℃的字符串一个文本框;和>。在code抛出，因为一个错误。我怎样才能让这些字符的使用在我的文本框？

I have a textfield which displays a string which contains < and >. The code throws an error because of that. How can I allow the usage of those chars in my textfield?

感谢：）

推荐答案

问题是，当这个被发布到服务器时，它不会工作，不要紧，你什么尝试。这是ASP.NET XSS保护，它可以像这样被禁用：

Problem is that when this gets posted to server, it will not work, doesn't matter what you try. This is the ASP.NET XSS protection, which can be disabled like so:

<%@ Page ... ValidateRequest="false" %>

问题是，你必须非常小心验证所有自己回发。更简单的方法就是在发布前逃使用文本框的javascript中的所有内容。您可以使用相同的HTML转义，然后在服务器端code UNESCAPE它逃生。

Trouble is, you'll have to be very careful validating all the postback yourself. Easier way is to escape all the contents of textbox using javascript just before posting. You can escape it using same HTML escaping, then unescape in server side code.

更新：
逃脱的例子。这将在屏幕上闪烁的修改后的文本回传前 - 理想的解决方案是使用隐藏域对于这一点，也就是将值分配给一个隐藏的领域，而不是同一领域。这是最简单的版本：

Update: Example of escaping. This will flash the changed text on screen before postback - ideal solution is to use a hidden field for this, i.e. assign value to a hidden field, instead of that same field. This is the simplest version:

<script>
  function EscapeField(){
    document.getElementById("your client control ID").value = 
       escape(document.getElementById("your client control ID").value);
  }
</script>

和在code-背后：

this.ClientScript.RegisterOnSubmitStatement(this.GetType(), 
    "EscapeField", "EscapeField();")

更新：
再次，警告 - 如果您在数据库中像这样保存HTML，然后只需将它展示给客户，你是直接易受XSS攻击。有虫在那里，会发现并利用你的网站。确保你清理你所得到的HTML。

Update: Again, warning - if you save HTML in your database like this, and then just display it to the client, you are directly vulnerable to XSS attacks. There are worms out there that will find and exploit your web site. Make sure you cleanse the HTML you are getting.

这篇关于＆QUOT;＆LT;＆QUOT;在ASP.NET文本框 - GT＆;怎么能允许吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！