是否有必要HtmlEn code文本框的值如果启用ASP.NET的请求验证? [英] Is it necessary to HtmlEncode Textbox values if ASP .Net Request Validation is enabled?
问题描述
如果ASP.NET请求验证为网站启用,你还需要HtmlEn code和HtmlDe code字符串信息,并从简单的形式(例如ASP文本框)?
如果ASP.NET请求验证为网站启用,你还需要HtmlEn code
ASP.NET请求验证是一个劈尝试解决愚蠢的作者的破程序。不要写坏了的程序。
您编写到HTML页面中的文本字符串必须是HTML-CN codeD;这是正确的事,不只是安全(这是正确的子集)。即使请求验证能够奇迹般地消除任何可能的XSS攻击(这是的这样的不一样的情况下),未能HtmlEn code文本输出仍然让你开到生产畸形的输出,破坏您的数据。说我是做一个论坛帖子在谈论一些变量
A,B和C和想说的话:A< B&B酒店以及c B>将如果被回显到HTML源unen $ C $的CD,我会得到:
在 C B> A
,也许是页面的其余部分将大胆了。哎呦!
请求验证是假的,而不应依赖该等资料。默认情况下,作为上和建议所有生产环境是可悲的,使我严重怀疑ASP.NET开发团队的理智。
如果你已经正确地写入你的程序,你不需要它,它只会得到你的方式。 (例如,如果是用它,我不能让这个职位,提到
<脚本方式>标签)如果你还没有写你的程序正确,请求验证是不会解决您的安全漏洞,它只是将让他们多一点模糊。
和HtmlDe code字符串信息
您通常不HtmlDe code在一个Web应用程序什么。你带code将内容推伸到HTML,但是当内容从提交的表单回来的是纯文本,而不是HTML-CN codeD。
,并从简单的形式(例如ASP文本框)?
文本框应该罚款;设置其
。文本没有做任何必要的编码,使你不得不出现在文本框中的确切字符串。但。有些东西看起来像他们应该是编码的HTML自动实际上没有。例如:myTextBox.Text =A< B B> C; //也好!
myLabel.Text =A< B B> C; //碎了!哦,亲爱的。
文本并不总是意味着文本。 <一href=\"http://msmvps.com/blogs/calinoiu/archive/2006/06/13/what-s-wrong-with-asp-net-html-encoding.aspx\">Sometimes,这实际上意味着HTML 。谢谢你微软,路泥泞的一个话题太多的人已经觉得很难理解水域。If ASP.NET Request Validation is enabled for a site, do you still need to HtmlEncode and HtmlDecode string information to and from simple forms (e.g. ASP Textboxes)?
解决方案If ASP.NET Request Validation is enabled for a site, do you still need to HtmlEncode
ASP.NET Request Validation is a hack to try to work around stupid authors' broken programs. Don't write broken programs.
Any text string you write into an HTML page must be HTML-encoded; this is a matter of correctness, not just security (which is a subset of correctness). Even if Request Validation could magically remove any possible XSS attack (and that is so nothing like the case), failing to HtmlEncode text output would still leave you open to producing malformed output, mangling your data. Say I was making a forum post talking about some variables
a,bandcand wanted to say:a<b b>c b>aIf that was echoed to the HTML source unencoded, I'd get:
ac b>a
and maybe the rest of the page would be bold too. Whoops!
Request Validation is bogus and shouldn't be relied upon. Being on by default and "recommended for all production environments" is sad and makes me seriously doubt the sanity of the ASP.NET team.
If you have written your program correctly, you don't need it and it will just get in your way. (For example, if SO used it, I wouldn't be able to make this post that mentions the
<script>tag.) If you haven't written your program correctly, Request Validation isn't going to fix your security holes, it's just going to make them a bit more obscure.and HtmlDecode string information
You don't usually HtmlDecode anything in a web app. You encode to push content out into HTML, but when content comes back in from a submitted form it is as plain text, not HTML-encoded.
to and from simple forms (e.g. ASP Textboxes)?
Textboxes should be fine; setting their
.Textdoes do any necessary encoding, making the exact string you had appear in the textbox. But. Some things that look like they should be HTML-encoding automatically actually don't. For example:myTextBox.Text= "a<b b>c"; // Fine! myLabel.Text= "a<b b>c"; // Broken!Oh dear.
Textdoes not always mean Text. Sometimes, it actually means HTML. Thank you Microsoft, way to muddy the waters of a topic too many people already find hard to understand.这篇关于是否有必要HtmlEn code文本框的值如果启用ASP.NET的请求验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
