preventing XSS(跨站脚本) [英] Preventing XSS (Cross-site Scripting)
问题描述
让我们说我有一个简单的ASP.NET MVC的博客应用,我想,让读者评论添加到博客文章。如果我想prevent任何类型的XSS有心计的,我可以带HTML code所有的意见,让他们渲染时变得无害。但是,如果我想的部分的像超链接,粗体,斜体等基本功能?
Let's say I have a simple ASP.NET MVC blog application and I want to allow readers to add comments to a blog post. If I want to prevent any type of XSS shenanigans, I could HTML encode all comments so that they become harmless when rendered. However, what if I wanted to some basic functionality like hyperlinks, bolding, italics, etc?
我知道,计算器使用大规模杀伤性武器降价编辑,这似乎是一个伟大的选择是什么,我试图完成,如果不是它支持的事实的两个的HTML和降价这离开它开放的XSS攻击。
I know that StackOverflow uses the WMD Markdown Editor, which seems like a great choice for what I'm trying to accomplish, if not for the fact that it supports both HTML and Markdown which leaves it open to XSS attacks.
推荐答案
如果你不希望使用编辑器,你可以考虑的 OWASP的AntiSamy 。
If you are not looking to use an editor you might consider OWASP's AntiSamy.
您可以在这里运行的一个例子:
http://www.antisamy.net/
You can run an example here: http://www.antisamy.net/
这篇关于preventing XSS(跨站脚本)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!