为prevent XSS最佳实践黑客 [英] Best practice for Prevent XSS hacking
问题描述
我的团队有25 developer.we使用mvc.net应用程序的成员我们。我们使用的安全性是一个重要的 @ Html.AntiForgeryToken()和任何与安全相关的,但我们担心prevent XSS黑客。
我们带code每一个地方,但有些地方我们需要HTML代码的用户。
什么是prevent XSS最佳实践黑客?
I am member of team with 25 developer.we use mvc.net application that security is a n important for us.we use @Html.AntiForgeryToken() and anything that related with security but We are concerned about Prevent XSS hacking.
we encode every where but some places we need html from user.
What is the best practice for Prevent XSS hacking?
推荐答案
的金科玉律,以prevent XSS是HTML EN code,你是输出到一个视图的一切。
The golden rule to prevent XSS is to HTML encode everything that you are outputting to a view.
希望在 @ 剃刀功能已经这是否自动为您。
Hopefully the @ Razor function already does that automatically for you.
所以,当你写下列操作之一你是pretty安全的:
So when you write one of the following you are pretty safe:
@Model.SomeProperty
@Html.DisplayFor(x => x.SomeProperty)
您应该小心使用 @ Html.Raw 助手:
@Html.Raw(Model.SomeProperty)
如果您使用的输出不会是HTML EN codeD。这并不意味着你的网站很容易受到XSS注入。例如,如果你拥有的财产总量控制,而不是从用户输入来你应该pretty安全的。
If you use that the output will not be HTML encoded. This doesn't mean that your site is vulnerable to XSS injection. For example if you have total control of the property and is not coming from an user input you should be pretty safe.
如果您正在使用的WebForms视图引擎,那么你应该更加小心,因为<%= 函数没有HTML EN code输出
If you are using the WebForms view engine then you should be more careful because the <%= function doesn't HTML encode the output.
所以下面是不是安全的:
So the following is not safe:
<%= Model.SomeProperty %>
您应使用下列之一:
<%= Html.DisplayFor(x => x.SomeProperty) %>
<%: Model.SomeProperty %>
如果在另一方面,你需要输出一些用户不输入HTML编码它,我您使用建议 AntiXSS 微软库。它会过滤掉来自输入所有危险标记,你是安全的输出。从输入标签,例如它会删除&LT;脚本过夜。还有在MSDN上的 文章了解这个库,你可能检出。
If on the other hand you need to output some user input without HTML encoding it I would recommend you using the AntiXSS library from Microsoft. It will filter out all dangerous tags from the input and you are safe to output it. For example it will remove the <script> tags from the input. There's also an article on MSDN about this library that you might checkout.
这篇关于为prevent XSS最佳实践黑客的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
