处理每一个用户输入的为纯文本 [英] Handle every user input as plain text

问题描述

我们有一个非常大的web应用。
关于120.000行的总和。

We have a really big web-application.
About 120.000 lines in total.

在本申请中，用户有足够的可能性来输入文本。
在用户信息，文件夹，组等。

In this application the user has plenty possibilities to enter text.
In the user information, folders, groups and so on.

有些用户希望的名字不同的对象，如年龄＆LT; 20 。
还有是因为ASP.NET块这样的输入，因为一个问题＆LT;以prevent的JavaScript注入。

Some of the users want to name different objects like Age < 20.
There was a problem because ASP.NET blocks such input because of the "<" to prevent javascript-injections.

我们发现了一种关闭这些安全机制下来，但现在我们的应用程序是不安全的。

We found a way to shut those safety-mechanisms down but now our application is unsafe.

所以，问题是：
是否有任何设置或属性或任何可设置全局（在一个点为整个应用程序），该应用程序处理这样的输入作为纯文本？

So the question is:
Is there any setting or property or whatever that can be set global (at one point for the whole application) that the application handles such input as plain text?

因此​​，当例如用户想同名的文件夹＆LT;脚本＆GT;警报（警报）;＆LT; / SCRIPT＆GT; 应该这样的命名方式和如图就像＆LT;脚本＆GT;警报（警报）;＆LT; / SCRIPT＆GT; 但脚本不会执行。

So when a user for example wants to name a folder <script>alert("ALERT");</script> it should be named that way and is shown just as <script>alert("ALERT");</script> but the script will not execute.

同为HTML：如果名为文件夹＆LT; BR＆GT;一个就应该是这样的：文件夹＆LT; BR＆GT;一个，而不是像：
文件夹
一个

The same for HTML: if its named Folder<br>One it should look like: Folder<br>One and not like:
Folder
One

当然，我可以使用HTML恩code / -De code，但我不想去贯穿整个项目，并添加一个编码/解码只要输入作出或显示...
还一个全球性的解决方案，pretent失误在未来的发展。

Of course i could use HTML-Encode/-Decode but i dont want to go through the whole project and add an Encoding/Decoding wherever an input is made or shown...
Also would a global solution pretent mistakes in the future development.

那么问题又来了：有没有什么办法来处理每一个文字，就像文本的？和所有的全球越好？

So again the Question: is there any way to handle every text just as text? And all that as global as possible?

希望你能理解我的问题，知道的任何可能性。

Hope you could understand my problem and know any possibilities.

推荐答案

如果你不想使用HTML EN code德code不是试图 ValidateRequest =假您可以像在code波纹管：

if you dont want to use HTML encode decode than try ValidateRequest="false" You can do it like in code bellow:

<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Default.aspx.vb" ValidateRequest="false" Inherits="_Default" %>

您可能想使用另一种方法是如下。

Another technique you may want to use is as following..

<script>
      function Encode() {
       var value = (document.getElementById('TextBox1').value);
       value = value.replace('<', "&lt;");
       value = value.replace('>', "&gt;");
       document.getElementById('TextBox1').value = value;
      }
 </script>

</head>
<body>
 <form id="form1" runat="server">
 <asp:TextBox ID="TextBox1"  runat="server"></asp:TextBox>
 <asp:Button ID="Button1" runat="server" Text="Button" OnClientClick="Encode()" />
 </form>

服务器端

protected void Page_Load(object sender, EventArgs e)
 {
  this.TextBox1.Text = Server.HtmlDecode(this.TextBox1.Text);
 }

这篇关于处理每一个用户输入的为纯文本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！