只允许某些 HTML 标签作为用户输入 [英] Allowing only certain HTML tags as user input
问题描述
我的站点允许站点用户撰写博客文章
My site allows site-users to write blog-posts
class BlogPost
{
[AllowHtml]
public string Content;
}
该网站是使用 MVC5 Internet 应用程序模板创建的,并使用 Bootstrap 3 作为其 CSS.所以我决定使用 http://jhollingworth.github.io/bootstrap-wysihtml5 来照顾富文本编辑器的所有 JavaScript 部分.
The site is created using a MVC5 Internet application template and uses bootstrap 3 for it's CSS. So I decided to use http://jhollingworth.github.io/bootstrap-wysihtml5 to take care of all the JavaScript Part of a Rich Text Editor.
它就像一个魅力.但是为了使 POST 发生,我必须像上面的代码一样添加 [AllowHtml] 属性.所以现在我害怕可能进入数据库并依次显示给所有用户的危险内容.
It works like a charm. But in order to make the POST happen, I had to add the [AllowHtml] attribute as in the code above. So now I'm scared of dangerous stuff that can get into the database and be in-turn displayed to all users.
我尝试在表单中给出像 <script>alert("What's up?")</script> 之类的值,似乎没问题...文本显示准确以同样的方式(
