使用Markdown处理代码块(Pagedown) [英] Handling Code Blocks with Markdown (Pagedown)
问题描述
我的MVC3应用程序使用 Pagedown 提供一个JavaScript文本编辑器,降价转换器和实时预览。我使用它的santizer对象去除潜在的危险代码,正如指令中所建议的那样 - 您可以在 javascript代码如下所示: 此代码将标记为 但是有些东西是不正确的......当我插入一个假的javascript如下所示: 并发布表单后,它会以黄色屏幕死亡: 这个字符串是否已经像 问题:我错过了什么以确保代码块和内联代码得到正确转换,以便它们可以作为安全字符串发布到服务器? 我错过了什么以确保代码块和内联代码被正确转换,以便它们可以作为安全字符串发布到服务器? 没什么。或者至少可能什么也没有,假设你正在创建带有正确输出转义的textarea,如果使用Web Forms或MVC控件,你将会使用它。 YSOD对于看起来像元素标记的任何和所有输入内容而言,无论是否应用程序处理输出正确转义或易受攻击。它不代表XSS问题,它总是发生。 如果您想允许用户输入包含看起来像元素标记的数据(并且没有任何内在危险关于这一点 - 你只需要输出转义右键),关闭请求验证。它完全是假的作为一种真正的安全功能,只会给你一种虚假的安全感;这是令人失望的,微软推动它,因为它揭示了什么HTML注入是一个致命的误解。 不幸的是禁用它在ASP.NET 4下变得更加恼人。使用 I'm betting I'm using something incorrectly here... My MVC3 application uses Pagedown to provide a javascript text editor, markdown converter, and live preview. I use its "santizer" object to strip potentially dangerous code just as suggested in instruction - you can see it at work in the demo. The javascript code looks like this: This code transforms a marked But something is not correct... when I insert a fake javascript like so: and post the form, it bombs out with a yellow screen of death: Is this string not already encoded safely like Question: What am I missing to ensure code blocks and inline code are properly transformed so that they may be posted to the server as a safe string? What am I missing to ensure code blocks and inline code are properly transformed so that they may be posted to the server as a safe string? Nothing. Or at least probably nothing, assuming you're creating the textarea with the correct output escaping, which you will be if using eg a Web Forms or MVC control. The YSOD appears for any and all input content that looks like element markup, regardless of whether your application handles output escaping correctly or is vulnerable. It's not indicative of an XSS problem, it happens all the time. If you want to allow user input that contains data that looks like element markup (and there's nothing intrinsically dangerous about that—you just have to get the output escaping right), turn off Request Validation. It is completely bogus as a real security feature and only really gives you a false sense of security; it is disappointing that Microsoft are pushing it, as it betrays a fatal misunderstanding of what HTML injection is. Unfortunately disabling it gets more irritating under ASP.NET 4. You have to reset the old model with 这篇关于使用Markdown处理代码块(Pagedown)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
<$ p ();
var converter1 = Markdown.getSanitizingConverter();
var editor1 = new Markdown.Editor(converter1);
editor1.run() );
})();
textarea 的标记转换为一位编辑,并使用santizing转换器去除坏东西。在某些方面,它似乎在起作用。例子:
marquee 标记, li>
< p style =font-size:40em;>超级大文本< / p> 被剥离为超级大文本
TEXT`< script type =text / javascript> alert(gotcha!);< ; /脚本>更多文本
请求验证检测到潜在危险的客户端输入值,并且请求处理已中止。
& lgt; script ...等那样安全编码?
<
< httpRuntime requestValidationMode =2.0/> 重置旧模型,然后添加 ValidateRequest =false到页面。(function () {
var converter1 = Markdown.getSanitizingConverter();
var editor1 = new Markdown.Editor(converter1);
editor1.run();
})();
textarea tag into an editor, and uses the santizing converter to strip bad stuff. In some ways it seems to be working. Examples:
marquee tag as in the demo it is stripped properly.<p style="font-size:40em;">Super Big Text</p> is stripped to Super Big TextTEXT `<script type="text/javascript">alert("gotcha!");</script>` MORE TEXT
Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted.&lgt;script... etc.?
<httpRuntime requestValidationMode="2.0" /> and then add ValidateRequest="false" to the page.
