ASP.Net MVC Html.Raw与AntiXSS保护 [英] ASP.Net MVC Html.Raw with AntiXSS protection
问题描述
我要显示在Java脚本变量用户的内容。
I want to display user content in a java script variable.
与所有用户生成的内容,我想在输出之前来净化它。
As with all user generated content, I want to sanitize it before outputting.
ASP.Net MVC默认完成了这个伟大的工作:
ASP.Net MVC does a great job of this by default:
@{
var name = "Jón";
}
<script> var name ='@name';</script>
用于上述的输出是:
The output for the above is:
Jón
这是伟大的,因为它保护我从用户将&LT;标签&GT; 和&LT;脚本&GT; evilStuff&LT; / SCRIPT&GT; 在他们的名字和玩无聊的游戏。
This is great as it protects me from users putting <tags> and <script>evilStuff</script> in their names and playing silly games.
在上面的例子中,我想从恶人的理智,但我不想HTML EN code UTF8有效字符不是邪恶的。
In the above example,I want sanity from evil doers but I don't want to HTML encode UTF8 valid characters that aren't evil.
我要输出阅读:
Jón
但我也想保护XSS该编码给我。
but I also want the XSS protection that encoding gives me.
使用白名单框架(即Microsoft.AntiXSS)以外的其他地区没有任何内置的MVC功能,有助于在这里?
Outside of using a white listing framework (ie Microsoft.AntiXSS) is there any built in MVC function that helps here?
更新:
看起来这似乎实现这一东西看起来的喜欢它的工作:
It looks like this appears to achieve something that looks like it does the job:
@{
var name = "Jón";
}
<script> var name ='@Html.Raw(HttpUtility.JavaScriptStringEncode(name))';
这是否会防止最所有XSS攻击?
推荐答案
您不得不写自己的EN codeR或者找其他第三方之一。默认连接在ASP.NET codeRS往往通过编码比可能不一定需要什么样的更多的是更安全的一边犯错。
You'd have to write your own encoder or find another 3rd party one. The default encoders in ASP.NET tend to err on the side of being more secure by encoding more than what might necessarily be needed.
说了这么多,请不要写自己的EN codeR 的!编写正确的HTML编码程序是一项非常艰巨的工作,只有对那些谁拥有特定高级安全专业知识是合适的。
Having said that, please don't write your own encoder! Writing correct HTML encoding routines is a very difficult job that is appropriate only for those who have specific advanced security expertise.
我的建议是使用什么样的内置,因为它是正确的,而且相当安全。虽然它可能会出现生产低于理想的HTML输出,你比防患于未然。
My recommendation is to use what's built-in because it is correct, and quite secure. While it might appear to produce less-than-ideal HTML output, you're better safe than sorry.
现在,请注意,这code:
Now, please note that this code:
@Html.Raw(HttpUtility.JavaScriptStringEncode(name))
时的不的正确,是的不的安全,因为它是无效使用JavaScript编码路由来渲染HTML标记。
Is not correct and is not secure because it is invalid to use a JavaScript encoding routing to render HTML markup.
这篇关于ASP.Net MVC Html.Raw与AntiXSS保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
