在asp.net中使用decodeURIComponent
[英]using decodeURIComponent within asp.net
问题描述
I encoded an html text property using javascript and pass it into my database as such. 
我使用javascript编码了html文本属性,并将其传递到数据库中。 I mean the javascript for string like "Wales&PALS" 我的意思是像“ Wales&PALS”这样的字符串使用javascript
encodeURIComponent(e.value);
converted to "Wales%20PALS" 转换为“ Wales%20PALS”
I want to convert it back to "Wales&PALS" from asp.net. 我想将其从asp.net转换回“ Wales&PALS”。 Any idea on how to embed 关于如何嵌入的任何想法
decodeURIComponent(datatablevalues)
in my asp.net function to return the desired text? 在我的asp.net函数中返回所需的文本?
2 个解决方案
解决方案1
6 已采纳 2013-04-03 18:46:22
As a prevention for SQL injection we use parametrized queries or stored procedures. 为了防止SQL注入,我们使用参数化查询或存储过程。 Encoding isn't really suitable for that. 编码并非真的适合。 Html encoding is nice if you expect your users to add stuff to your website and you want to prevent them injecting malicious javascript for instance. 如果您希望用户向自己的网站添加内容,并且希望防止用户注入恶意javascript,则HTML编码是不错的选择。 By encoding the string the browser would just print out the contents. 通过对字符串进行编码,浏览器将只打印出内容。 What you're doing is that you encode the string, add it to the database, but then you try to decode it back to the original state and display it for the clients. 您正在做的是对字符串进行编码,将其添加到数据库中,然后尝试将其解码回原始状态并为客户端显示它。 That way you're vulnerable to many kinds of javascript injections.. 这样一来,您很容易受到多种JavaScript注入的攻击。
If that's what you intended, no problem, just be aware of the consequences. 如果这是您的预期,没问题,请注意后果。 Know "why" and "how" every time you make a decision like this. 每次做出这样的决定时,都要知道“为什么”和“如何”。 It's kinda dangerous. 有点危险
For instance, if you wanted to enable your users to add html tags as a means of enhancing the inserted content, a more secure alternative for this would be to create your own set of tags (or use an existing one like BBCode), so the input never contains any html markup and when you insert it into the database, simply parse it first to switch to real html tags. 例如,如果您想让用户添加html标签,以增强插入的内容,那么一种更安全的选择是创建自己的标签集(或使用现有的BBCode标签),因此输入内容永远不会包含任何html标记,当您将其插入数据库时,只需先解析它即可切换到实际的html标签。 Asp.net engine will never allow malicious input during a request (unless you voluntarily force it do so) and because you already control parsing the input, you can be sure it's secure when you output it, so there's no need for some additional processing. Asp.net引擎绝不会在请求期间允许恶意输入(除非您自愿强制这样做),并且由于您已经控制了对输入的解析,因此可以确定输出时它是安全的,因此不需要进行任何其他处理。
Just an idea for you :) 只是一个想法给你:)
If you really insist on doing it your way (encode -> db -> decode -> output), we have some options how to do that. 如果您真的坚持要按照自己的方式进行操作(编码->数据库->解码->输出),我们有一些方法可以做到这一点。 I'll show you one example: 我给你看一个例子:
For instance you could create a new get-only property, that would return your decoded data. 例如,您可以创建一个新的get-only属性,该属性将返回解码后的数据。 (you will still maintain the original encoded data if you need to). (如果需要,您仍将保留原始编码数据)。 Something like this: 像这样:
public string DecodedData
{
get
{
return HttpUtility.UrlDecode(originalData);
}
}
http://msdn.microsoft.com/en-us/library/system.web.httputility.aspx http://msdn.microsoft.com/en-us/library/system.web.httputility.aspx
If you're trying to encode a html input, maybe you'd be better off with a different encoding mechanism. 如果您尝试对html输入进行编码,则最好使用其他编码机制。 Not sure if javascripts encodeURIComponent can correctly parse out html. 不知道javascripts encodeURIComponent是否可以正确解析html。
解决方案2
0 2013-04-03 18:19:23
Try UrlDecode in HttpServerUtility. 在HttpServerUtility中尝试UrlDecode。 API page for it API页面
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.