如何连接code JSON / Ajax响应的XSS? [英] How to encode JSON/Ajax response for XSS?
问题描述
我有一个ASP.NET MVC2网站,使用Ajax和JSON巨资从数据库中读取数据,然后填入HTML。我希望能够EN code JSON对象,使其呈现任何HTML文本,而不是HTML。我很惊讶地发现没什么讨论/对这种明显的解决方案,这似乎是一个很大的潜在的XSS问题。
I have an ASP.NET MVC2 website that uses Ajax and JSON heavily to load data from a database and populate HTML. I'd like to be able to encode the JSON object so that it renders any HTML as text rather than HTML. I was surprised to not find much discussion/obvious solutions for this, as this seems to be a big potential XSS issue.
我俯瞰的东西,有一个简单的方法来做到这一点?或者,我需要拿出一个内部的解决方案呢?如果我这样做我自己,我应该做的模型,在控制器上,还是在jQuery的?
Am I overlooking something, and there is a simple way to do this? Or do I need to come up with an in-house solution for this? If I do this myself, should I do it on the model, on the controller, or in the jquery?
推荐答案
要防止跨站脚本,连接code HTML,因为它得到输出到视图。这些数据应该保持原始(除JSON编码,它会自动根据您的JSON库来完成)的JSON。
To protect against XSS, encode HTML as it gets output into the view. The data should remain raw (except for JSON encoding, which should be done automatically by your JSON library) in the JSON.
如果您请求支持JavaScript的JSON,然后插入一些它到文档中。使用 document.createTextNode(字符串)以创建从数据textNode(这需要字符的关心与HTML特殊含义),然后插入textNode到文档中。
If you are requesting the JSON with JavaScript, and then inserting some of it into the document. Use document.createTextNode(String) to create a textNode from the data (which takes cares of characters with special meaning in HTML), then insert that textNode into the document.
这篇关于如何连接code JSON / Ajax响应的XSS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
