消毒与JsonConvert.SerializeObject输入的MVC4? [英] Sanitizing Input with JsonConvert.SerializeObject in MVC4?
问题描述
长话短说,我试图从JsonConvert.SerializeObject输出而无需修改保存的数据的内容将被拆除。
Long story short, I'm trying to get the output from JsonConvert.SerializeObject to be sanitized without having to modify the contents of the saved data.
我的工作有在视图下面的标记的应用程序:
I'm working on an app that has the following markup in the view:
<textarea data-bind="value: aboutMe"></textarea>
如果我救了下面的文字,我碰到的问题:
If I save the following text, I run into problems:
<script type="text/javascript">alert("hey")</script>
我在FF得到的错误:
The error I get in FF:
违规呈现的文本的相关部分:
The relevant part of the offending rendered text:
$(文件)。就绪(ko.applyBindings(新
MyProfileVm({profileUsername:管理员,用户名:管理,aboutMe:警报(\\哎\\),称号:这是一个
简短的自我,生物!
:),缩略图: https://i.imgur.com/H1HYxU9.jpg,locationZip:22182,LOCATIONNAME:,维也纳
VA
$(document).ready(ko.applyBindings(new MyProfileVm({"profileUsername":"admin","username":"Admin","aboutMe":"alert(\"hey\")","title":"Here's a short self-bio! :)","thumbnail":"https://i.imgur.com/H1HYxU9.jpg","locationZip":"22182","locationName":"Vienna, VA"
和最后 - 在我认为的底部:
And finally - at the bottom of my view:
<script type="text/javascript">
$(document).ready(ko.applyBindings(new MyProfileVm(@Html.Raw(JsonConvert.SerializeObject(Model, new JsonSerializerSettings() { ContractResolver = new CamelCasePropertyNamesContractResolver() })))));
</script>
在这里,我路过,我从MVC控制器进入JS视图模型为淘汰赛映射到观察数据模型。未加工的编码似乎是问题,但我不知道如何去处理它。
Here, I'm passing the model that I get from the MVC controller into the js ViewModel for knockout to map into observable data. The Raw encoding seems to be the problem, but I'm not sure how to go about handling it.
要清楚,我是从服务器获取数据,并将其输出到客户端,这是打乱了JSON / KO组合。
To be clear, I'm getting data from the server, and outputting it to the client, which is mucking up the JSON/KO combo.
推荐答案
的问题是,你不能有一个结束&LT; / SCRIPT&GT; 一个JavaScript字符串内标签因为浏览器间$ p $点作为然后结束脚本块。另请参阅:脚本标签使用JavaScript字符串
The problems is that you cannot have a closing </script> tag inside a JavaScript string literal because the browser interprets it as then end of the script block. See also: Script tag in JavaScript string
有在Asp.Net没有内置函数什么可以处理它在服务器端,你输出你生成的脚本之前,你需要更换&LT; / SCRIPT&GT; 来别的东西:
There is no builtin function in Asp.Net what could handle it on the server side you before outputting your generated script you need to replace the </script> to something else:
<script type="text/javascript">
$(document).ready(ko.applyBindings(new MyProfileVm(@Html.Raw(
JsonConvert.SerializeObject(Model,
new JsonSerializerSettings() {
ContractResolver = new CamelCasePropertyNamesContractResolver()
}).Replace("</script>", "</scripttag>")
))));
</script>
当然,如果你需要这种在多个地方,你可以在此逻辑移动到一个辅助/扩展方法,如:
Of course if you will need this in multiple place you can move this logic into a helper/extension method, like:
public static class JavaScriptExtensions
{
public static string SerializeAndEscapeScriptTags(this object model)
{
return JsonConvert.SerializeObject(model,
new JsonSerializerSettings()
{
ContractResolver = new CamelCasePropertyNamesContractResolver()
}).Replace("</script>", "</scripttag>");
}
}
和与使用它:
@using YourExtensionMethodsNamespace
<script type="text/javascript">
$(document).ready(ko.applyBindings(new MyProfileVm(@Html.Raw(
Model.SerializeAndEscapeScriptTags()))));
</script>
和在你的淘汰赛JavaScript端视图模型需要更换回&LT; / SCRIPT&GT; 在使用前标签:
And on the JavaScript side in your Knockout viewmodel you need to replace back the </script> tag before the usage:
var MyProfileVm = function(data) {
//...
this.aboutMe = ko.observable(
// you need `"</scr"+ "ipt>"` because of the above mentioned problem.
data.aboutMe.replace(/<\/scripttag>/g, "</scr"+ "ipt>"));
}
当然,你也可以创建一个辅助功能,对于这一点,这样的:
Of course you can also create a helper function for this, like:
function fixScriptTags(data) {
for(var prop in data) {
if (typeof(data[prop]) == "string") {
data[prop] = data[prop].replace(/<\/scripttag>/g, "</scr"+ "ipt>");
}
//todo check for complex property values and call fixScriptTags recursively
}
return data;
}
和与使用它:
ko.applyBindings(new ViewModel(fixScriptTags(data)));
这篇关于消毒与JsonConvert.SerializeObject输入的MVC4?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
![https://i.imgur.com/H1HYxU9.jpg](\"https://i.imgur.com/H1HYxU9.jpg\"){kind=link}