preventing Javascript和跨站脚本攻击 [英] Preventing Javascript and XSS attacks
问题描述
我XSS-打样我公司网站了解javascript和XSS攻击。这是写在ASP.NET Web表单。
I'm xss-proofing my web site for javascript and xss attacks. It's written in ASP.NET Webforms.
我想测试的主要部分是具有一个文本框(TinyMCE的连接到它)的用户控制。
The main part I'd like to test is a user control that has a textbox (tinyMCE attached to it).
用户可以在这个文本提交书面故事的网站。我必须设置 validateRequest 为false,因为我想获得用户的故事,故事中HMTL(TinyMCE的)。
Users can submit stories to site by writing in this textbox. I had to set validateRequest to false since I want to get users' stories in HMTL (tinyMCE).
我应该怎样prevent JavaScript的XSS攻击?由于用户的故事是HMTL文本,我不能使用 Server.HtmlEn code 关于他们的故事。一般情况下,什么是接收来自用户的HTML内容,保存,然后显示给用户的安全方法?
How should I prevent javascript-xss attacks? Since users' stories are HMTL texts, I cannot use Server.HtmlEncode on their stories. In general, what's the safe way to receive HTML content from user, save and then display it to users?
如果一个用户把恶意code在文本并提交,有一个机会,这可能会伤害谁查看文字其他人呢?结果
谢谢你。
If one user puts malicious code in the textbox and submits it, is there a chance that this could harm other people who view that text?
Thanks.
推荐答案
如果你不清理一下用户将在文本框中并提交,那么是的,是有机会做伤害。
If you don't clean what the user puts in the textbox and submits, then yes, there is a chance for harm to be done.
您可能要检查出微软反跨站点脚本库,因为它旨在帮助开发人员prevent只是这类攻击。
You might want to check out the Microsoft Anti-Cross Site Scripting Library, as it is designed to help developers prevent just such attacks.
另外值得一看就是OWASP的跨站点脚本(XSS )
Also worth taking a look at is OWASP's Cross-site Scripting (XSS)
您可能想看看HttpUtility.HtmlEn code和HttpUtility.HtmlDe code为好。我只是写了一个快速测试,它看起来像它可能低于(有关如何在正确的格式显示数据的其他用户)解决注释您关注:
You might want to look into HttpUtility.HtmlEncode and HttpUtility.HtmlDecode as well. I just wrote a quick test, and it looks like it might address your concern in the comment below (about how to display the data to other users in the right format):
string htmlString = "<b>This is a test string</b><script>alert(\"alert!\")</script> and some other text with markup <ol><li>1234235</li></ol>";
string encodedString = HttpUtility.HtmlEncode(htmlString);
// result = <b>This is a test string</b><script>alert("alert!")</script> and some other text with markup <ol><li>1234235</li></ol>
string decodedString = HttpUtility.HtmlDecode(encodedString);
// result = <b>This is a test string</b><script>alert("alert!")</script> and some other text with markup <ol><li>1234235</li></ol>
ASP.NET控件和HTMLEn code
我去后,我从我的课了的信息,但我发现一个链接,列出了同样的事情(1.1和2.0),所以我会后的链接,便于参考。你也许可以得到未列出具体的控制(或3.0 / 3.5 / 4.0版本,如果他们已经改变)通过查看MSDN上的详细信息,但是这应该作为一个快速入门指南为你,至少。让我知道如果你需要更多的信息,我会看看我能找到的。
ASP.NET Controls and HTMLEncode I was going to post the information I had from my class, but I found a link that lists the exact same thing (for 1.1 and 2.0), so I'll post the link for easier reference. You can probably get more information on a specific control not listed (or 3.0/3.5/4.0 versions if they've changed) by looking on MSDN, but this should serve as a quick start guide for you, at least. Let me know if you need more information and I'll see what I can find.
<一个href=\"http://msmvps.com/blogs/calinoiu/archive/2006/06/13/what-s-wrong-with-asp-net-html-encoding.aspx\"相对=nofollow> ASP.NET控件默认HTML编码
下面是一个更加融为一体prehensive从在MSDN博客一个列表:<一href=\"http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-components-postattachments/00-08-91-89-96/asp.net_5F00_control_5F00_encoding.htm\"相对=nofollow>其中的ASP.NET控件自动连接codeS?
Here's a more comprehensive list from one of the MSDN blogs: Which ASP.NET Controls Automatically Encodes?
这篇关于preventing Javascript和跨站脚本攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
