Ajax控件工具包编辑器控制 - 避免XSS攻击 [英] Ajax Control Toolkit Editor Control - avoiding XSS attacks
问题描述
我这文章注意到, Microsoft不建议使用从Ajax控件工具包编辑器控制的,因为跨站点脚本攻击的危险性公共场所。我尝试过了,即使你专门设置的NoScript =真这是可能添加脚本,因此,引入XSS攻击漏洞。在我的情况,我们正在研究奖学金申请过程中,我们曾希望用这个来所有被提名人,高达上线的文章。我们想借此数据,并重新显示到审查委员会,但很明显,这是一个坏主意。
I noticed in this article that Microsoft does not recommend using the Editor control from the Ajax Control Toolkit in public sites because of the danger of cross-site scripting attacks. I tried it out, and even if you specifically set NoScript="true" it's possible to add script, and therefore, introduce XSS attack vulnerabilities. In my situation, we are working on a scholarship application process, and we had hoped to use this to all nominees to type up an Essay on-line. We wanted to take the data and re-display it to the review board, but obviously, this is a bad idea.
所以我想知道如果任何人验证的内容,允许HTML一个简单的方法知道,但是没有剧本,也许使用的CustomValidator或普通防爆pression,我可以在code-使用背后。我知道,这是更好地为白名单验证,而不是黑名单验证,M专门找了。
So I'm wondering if anyone knows of a simple way of validating the content to allow HTML, but not script, perhaps using a CustomValidator or a Regular Expression that I can use in the code-behind. I'm aware that it's better to to white list validation and not blacklist validation, 'm specifically looking for that.
另外,如果有谁知道类似的控制,它防止XSS攻击,那将是一件好事,太。
Alternatively, if anyone is aware of a similar control that does protect against XSS attacks, that would be good, too.
推荐答案
在AntiXSS库的最新版本,现在做了一些HTML禁制,我认为会做你想要什么。看看 Blowdart 的它的这里。
The latest release of the AntiXSS library now does some HTML sanitisation which I think will do what you want. Have a look at Blowdart's blog on it here.
更新2015年9月15日:
该AntiXSS得到了滚进了 .NET 4.0框架,在你的的.config
文件来实现它。
UPDATE 15 Sep 2015:
The AntiXSS got rolled into the .Net 4.0 Framework, enable it in your .config
file.
这篇关于Ajax控件工具包编辑器控制 - 避免XSS攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!