为什么需要Server.HtmlEn code？ [英] Why is Server.HtmlEncode required?

问题描述

我无法理解为什么需要Server.HtmlEn code？ MSDN指出，它是用来连接code可能不安全的字符转换成HTML-CN codeD等价的。

I am not able to understand why Server.HtmlEncode is required? MSDN states that it is used to encode potentially unsafe characters into HTML-encoded equivalent.

有人可以给我一些想法，这些人物是如何不安全的，需要我们用Server.HtmlEn code？

Can someone give me some idea how these characters are unsafe and require us to use Server.HtmlEncode ?

感谢。

推荐答案

字符怎么可能不安全的一个例子是，如果用户提交网页上的评论。如果注释形式不使用HtmlEn code，则任何用户只需键入现在将作为在页面上的注释可见。在这种情况下，黑客可以像提交以下评论：

One example of how characters can be unsafe is if the user submits a comment on your page. If the comment form does not use HtmlEncode then anything the user has just typed will now be visible as a comment on the page. In that case, a hacker could submit a comment like the following:

<script language="javascript" type="text/javascript">
window.location = 'http://server.com/viruspage.asp';
</script>

有关谁加载页面的每个后续用户，将运行该脚本（因为它没有被带HtmlEn code codeD），每个用户重定向到一个网页，病毒。这是一个非常简单的例子，但也有许多其他的方式来输入恶意数据，甚至可能让黑客管理访问权限的数据库。

For each subsequent user who loads the page, the script will run (because it hasn't been encoded with HtmlEncode), redirecting each user to a page with viruses. This is a very simple example, but there are many other ways to input malicious data, potentially even giving hackers administrative access to your databases.

这篇关于为什么需要Server.HtmlEn code？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！