为什么需要Server.HtmlEn code? [英] Why is Server.HtmlEncode required?
问题描述
我无法理解为什么需要Server.HtmlEn code? MSDN指出,它是用来连接code可能不安全的字符转换成HTML-CN codeD等价的。
I am not able to understand why Server.HtmlEncode is required? MSDN states that it is used to encode potentially unsafe characters into HTML-encoded equivalent.
有人可以给我一些想法,这些人物是如何不安全的,需要我们用Server.HtmlEn code?
Can someone give me some idea how these characters are unsafe and require us to use Server.HtmlEncode ?
感谢。
推荐答案
字符怎么可能不安全的一个例子是,如果用户提交网页上的评论。如果注释形式不使用HtmlEn code,则任何用户只需键入现在将作为在页面上的注释可见。在这种情况下,黑客可以像提交以下评论:
One example of how characters can be unsafe is if the user submits a comment on your page. If the comment form does not use HtmlEncode then anything the user has just typed will now be visible as a comment on the page. In that case, a hacker could submit a comment like the following:
<script language="javascript" type="text/javascript">
window.location = 'http://server.com/viruspage.asp';
</script>
有关谁加载页面的每个后续用户,将运行该脚本(因为它没有被带HtmlEn code codeD),每个用户重定向到一个网页,病毒。这是一个非常简单的例子,但也有许多其他的方式来输入恶意数据,甚至可能让黑客管理访问权限的数据库。
For each subsequent user who loads the page, the script will run (because it hasn't been encoded with HtmlEncode), redirecting each user to a page with viruses. This is a very simple example, but there are many other ways to input malicious data, potentially even giving hackers administrative access to your databases.
这篇关于为什么需要Server.HtmlEn code?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!