是什么AntiXss.HtmlEn code和HttpUtility.HtmlEn code之间的区别？ [英] What is the difference between AntiXss.HtmlEncode and HttpUtility.HtmlEncode?

问题描述

我只是碰到一个问题，跑了一个答案暗示AntiXss库，以避免交叉站点脚本。听起来很有意思，看完 MSDN博客，这似乎只是提供一个HtmlEn code（ ） 方法。但是，我已经使用HttpUtility.HtmlEn code（）。

I just ran across a question with an answer suggesting the AntiXss library to avoid cross site scripting. Sounded interesting, reading the msdn blog, it appears to just provide an HtmlEncode() method. But I already use HttpUtility.HtmlEncode().

为什么我要在HttpUtility.HtmlEn code使用AntiXss.HtmlEn code？

事实上，我不是第一个问这个问题。而且，事实上，谷歌变成了一些 <一个href=\"http://blogs.msdn.com/securitytools/archive/2009/07/09/differences-between-antixss-htmlen$c$c-and-httputility-htmlen$c$c-methods.aspx\">answers,主要

Indeed, I am not the first to ask this question. And, indeed, Google turns up some answers, mainly

• 白名单，而不是黑名单的做法


• 系统0.1ms的性能改进

好吧，这很好，但它是什么意思我吗？我不那么在乎为0.1ms的表现，我不觉得自己真的要下​​载和添加其他库的依赖关系为我已经有了功能。

Well, that's nice, but what does it mean for me? I don't care so much about the performance of 0.1ms and I don't really feel like downloading and adding another library dependency for functionality that I already have.

是那里的AntiXss实施将prevent攻击案件的例子是，HttpUtility实现不会？

如果我继续使用HttpUtility实现，我是在风险？怎么样这个'错误'的？

If I continue to use the HttpUtility implementation, am I at risk? What about this 'bug'?

推荐答案

我没有回答具体到你的问题，但我想指出的是，白名单VS黑名单的做法不只是好。这一点很重要。很重要。当涉及到安全性，每一件小事是非常重要的。请记住，跨站点脚本和跨站请求伪造的，即使你的网站没有出现敏感数据，黑客可以通过注射感染的JavaScript您的网站，并用它来从其他网站获取敏感数据。所以这样做是正确是至关重要的。

I don't have an answer specifically to your question, but I would like to point out that the white list vs black list approach not just "nice". It's important. Very important. When it comes to security, every little thing is important. Remember that with cross-site scripting and cross-site request forgery , even if your site is not showing sensitive data, a hacker could infect your site by injecting javascript and use it to get sensitive data from another site. So doing it right is critical.

<一个href=\"http://www.owasp.org/index.php/SQL_Injection_$p$pvention_Cheat_Sheet#White_List_Input_Validation\">OWASP指引规定使用白名单的方式。 PCI法规遵从的准则也是在编码标准（因为它们是指托特他OWASP指南）指定。

OWASP guidelines specify using a white list approach. PCI Compliance guidelines also specify this in coding standards (since they refer tot he OWASP guidelines).

此外，AntiXss库的新版本有一个不错的新功能：.GetSafeHtmlFragment（），这是您要保存HTML数据库，并将它显示给用户的HTML这些情况不错。

Also, the newer version of the AntiXss library has a nice new function: .GetSafeHtmlFragment() which is nice for those cases where you want to store HTML in the database and have it displayed to the user as HTML.

此外，作为错误，如果你正确的编码，并遵守所有的安全指南，你使用参数化的存储过程，因此单引号将被正确处理，如果你没有正确的编码，没有现成的库即将全面保护你。该AntiXss库是为了将一个工具被使用，而不是对知识的替代品。依托图书馆做适合你会期待一个真正的好画笔转出良好的画作没有一个好的艺术家。

Also, as for the "bug", if you're coding properly and following all the security guidelines, you're using parameterized stored procedures, so the single quotes will be handled correctly, If you're not coding properly, no off the shelf library is going to protect you fully. The AntiXss library is meant to be a tool to be used, not a substitute for knowledge. Relying on the library to do it right for you would be expecting a really good paintbrush to turn out good paintings without a good artist.

编辑 - 添加

至于问的问题，这里的防XSS会保护你一个例子，HttpUtility不会：

As asked in the question, an example of where the anti xss will protect you and HttpUtility will not:

<一个href=\"http://caught-in-a-web.blogspot.com/2007/01/httputilityhtmlen$c$c-and-server.html\">HttpUtility.HtmlEn$c$c和服务器。 HtmlEn code没有prevent跨站点脚本

这是根据作者的，虽然。我没有亲自测试过。

That's according to the author, though. I haven't tested it personally.

这听起来像你对你的安全准则已经起来了，所以这可能不是什么我要告诉你，但万一一个经验不足的开发者那里读这篇文章，我之所以说，白名单方法是关键的是这一点。

It sounds like you're up on your security guidelines, so this may not be something I need to tell you, but just in case a less experienced developer is out there reading this, the reason I say that the white-list approach is critical is this.

现在，今天，HttpUtility.HtmlEn code可成功阻止每一次攻击在那里，只需删除/编码＆LT; 和 ＆GT; ，加上其他一些知名潜在不安全的角色，但有人总是试图想打破的新方式只允许已知安全的（白名单）含量比轻松了许多。冥思苦想输入的每一个可能的不安全位的攻击者可以抛出可能在你（黑名单的做法）。

Right now, today, HttpUtility.HtmlEncode may successfully block every attack out there, simply by removing/encoding < and > , plus a few other "known potentially unsafe" characters, but someone is always trying to think of new ways of breaking in. Allowing only known-safe (white list) content is a lot easier than trying to think of every possible unsafe bit of input an attacker could possibly throw at you (black-list approach).

这篇关于是什么AntiXss.HtmlEn code和HttpUtility.HtmlEn code之间的区别？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！