使得博客评论用户发布的安全 [英] Making the blog comments posted by users safe

问题描述

我在我的网站上创建一个博客引擎的过程。没什么特别。用户将注册一些基本信息，包括评论本身就是这个问题的问题。

I'm in the process of creating a blog engine on my website. Nothing fancy. The user will register some basic information, including the comment itself that is the issue of this question.

在注释字段，用户可以写一些文字，但目前有没有从编写任何有害物品有阻止他，那会搞乱了页面的评论呈现时。

Inside the comment field, the user can write some text, but there are currently nothing stopping him from writing anything harmful there, that would mess up the page when rendering it with comments.

所以我想知道什么最简单的方法来完成这三项任务（希望建成.NET :)东西）

So I'm wondering what the easiest way to accomplish these three tasks are (hoping for something built into .NET :) )

• 确保无有害HTML写入文本框中运行脚本，或者只是让网页渲染为所有用户将错误添加评论后。


• 我还是要接受像＆LT标签;一个GT＆; ，＆LT; B＆GT; 等使用户可以格式化他的文字，并提供链接。


• 在邮件中的任何换行符应该得到尊重，这样，当为html当用户在写呈现的评论看起来是一样的。目前，所有换行符将被忽略，因为标准HTML内容。

• Making sure that no harmful html are written into the textbox to run scripts, or to just make the page render with an error for all users after the comment is added.
• I still want to accept tags like <a>,<b> and so on so the user can format his text, and provide links.
• Any linebreaks in the message should be honored so that the comment looks the same when rendered as html as when the user wrote it in. Currently, all line breaks are just ignored, as standard for html content.

推荐答案

您想确保你添加值时，你的数据库，以避免SQL注入使用适当的方法，有上的如何从SQL Injeciton保护ASP.NET 的，我建议你阅读

You want to make sure that you use a proper method when adding values to your database to avoid SQL Injection, there's an MSDN article on How To Protect from SQL Injeciton in ASP.NET that I recommend you to read.

当你希望允许用户格式化code你自己开辟漏洞和你最certainl必须考虑不止一次在于此。首先你要确保每一个标签都有一个匹配的结束标签。因为如果有人写：＆LT;强＆GT;您好你不希望以后所有文字大胆

When you want to allow users to format code themselves you open up for exploits and you most certainl have to think more than once on this. First of all you want to make sure that every tag has a matching end-tag. Because if someone writes: <strong>Hello! you don't want all text after that to be bold.

要帮助你达致这可以使用几个不同的库这两种方法/库，我建议：

To help you acheive this you can use a couple of different libraries these are two of the methods/libraries I recommend:

• 的Html敏捷性包


• ASP.NET BB $ C $ ç

• Html Agility Pack
• ASP.NET BBCode

在这里你允许用户编写[黑体]文字[/粗体]，然后您使用一切所谓 HTML编码可以使用的方法。所以，如果你写了以下内容：

You can use an approach where you allow users to write [bold]text[/bold] and then you use something called Html Encoding on everything else. So If you write the following:

＆LT;强＆gt;这不会是大胆＆LT; / STRONG＆GT;！[黑体]但这种意愿[/粗体]

输出可能是：

＆LT;强＆gt;这不会是大胆＆LT; / STRONG＆GT; <！/ code> 但是这会

您通过以下步骤达致这：

You acheive this by following these steps:

• HTML恩code文本


• 替换你的BB code标签（[黑体]，什么不可以）适当HTML

对于需要用＆LT替换 \\ r \\ n 的换行符; BR /＆GT; ，检查HTML敏捷包本或使用与string.replace 。

Regarding the line-breaks you need to replace \r\n with <br />, check the Html Agility Pack for this or use String.Replace.

您还可能需要阅读杰夫斯博客张贴有关安全HTML和XSS 。

这篇关于使得博客评论用户发布的安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！