是PagesSection.ValidateRequest足以prevent XSS在asp.Net [英] Is PagesSection.ValidateRequest enough to prevent XSS in asp.Net

问题描述

在asp.net是PagesSection.ValidateRequest方法足以prevent所有XSS攻击或者是有需要做更多的东西？

In asp.net is the PagesSection.ValidateRequest method enough to prevent all XSS attacks or is there something more that needs to be done?

任何人都可以点我到一个更全面的资源有关此主题的专为asp.net作为谷歌主要是返回MSDN文章，我想验证我们做得还不够。

Can anyone point me to a more thorough resource on this topic specifically for asp.net as Google mainly returns MSDN articles and I'd like to verify that we're doing enough.

推荐答案

微软 AntiXSS库是ASP.Net一个很好的解决方案。它使用白名单（黑名单对比）的方法，似乎是定期更新的微软

AntiXSS Library

The Microsoft AntiXSS library is a good solution for ASP.Net. It uses a whitelist (versus blacklist) approach and seems to be regularly updated by Microsoft.

最新下载（因为这个帖子）： HTTP ：？//www.microsoft.com/download/en/details.aspx displaylang = EN和ID = 28589

Latest download (as of this post): http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28589

AntiXSS支持文本和HTML风格的验证。的HTML验证确实允许内容可能是不希望的（例如，在另一个域图像）。

AntiXSS supports both text and HTML-style validation. The HTML validation does permit content that might be undesirable (such as images in another domain).

它需要你运行的每个通过图书馆的输入值，这将导致额外的（虽然简单）code。

It requires that you run each of your input values through the library which will result in additional (albeit simple) code.

using System;
using Microsoft.Security.Application;

public class AppText
{
    public static string GetSafeHtml( string inputText )
    {
        return Sanitizer.GetSafeHtmlFragment( inputText );
    }

    public static string GetSafeText( string inputText )
    {
        return Microsoft.Security.Application.Encoder.HtmlEncode( inputText );
    }
}

好处

手动验证每个输入可以确保你没有承担安全只是处理，由ASP.Net请求验证。它也给你的灵活性，在必要时禁用请求验证（有合法的情况下，在要求有问题的字符）。因为你明确的AntiXSS库验证输入，可以允许的字符/标记的要求。

Benefits

Manually validating each input ensures that you are not assuming security is just "handled" by ASP.Net request validation. It also gives you the flexibility to disable request validation if needed (there are legitimate cases for questionable characters in a request). Because you are validating the input explicitly with the AntiXSS library, you can allow characters/markup in the request.

的https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_$p$pvention_Cheat_Sheet

这篇关于是PagesSection.ValidateRequest足以prevent XSS在asp.Net的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！