堆栈内存溢出
  简体   繁体   English

在asp.net文本框中检查脚本

[英]Check for script in asp.net text box

 原文  2009-09-15 14:47:26       javascript/ asp.net/ webforms

问题描述

We would like to stop users inputing html or javascript in a text box. 我们想阻止用户在文本框中输入html或javascript。

We can just parse the input and check for angel brackets. 我们可以解析输入并检查天使括号。 Was wondering is there a better way to do this? 想知道有更好的方法吗?

5 个解决方案

解决方案1
 5 已采纳  2009-09-15 14:55:43

I have found that replacing the angel brackets with encoded angel brackets solves most problems. 我发现用编码的天使括号替换天使括号可以解决大多数问题。 Here is a reference for all the ways people can cross-site script. 以下是人们可以跨站点脚本的所有方式的参考 Making a regex to stop any flavor of HTML and or Script is damn near impossible. 制作一个正则表达式来阻止任何HTML和/或脚本的味道几乎是不可能的。

解决方案2
 3  2009-09-15 14:52:38

If you set Page.ValidateRequest = true then it will stop this. 如果您设置Page.ValidateRequest = true,那么它将停止此操作。

From .net version 1.1 onwards (I think) this is set to true by default. 从.net 1.1版开始(我认为)默认设置为true。

解决方案3
 2  2009-09-15 14:49:09

你能使用正则表达式验证器来验证输入吗?

解决方案4
 1  2009-09-15 16:03:33

Page.ValidateRequest will stop this unless you have it turned off. 除非关闭它,否则Page.ValidateRequest将停止此操作。

However, OWASP guidelines (as well pretty much all competent security guidelines) tell you that you should NOT try to limit bad characters in your validation, but instead you should filter so that only specifically allowed characters are used. 但是,OWASP指南(以及几乎所有主管的安全指南)告诉您,您不应该尝试在验证中限制不良字符,而应该过滤以便仅使用特定允许的字符。

http://en.wikipedia.org/wiki/Secure_input_and_output_handling http://en.wikipedia.org/wiki/Secure_input_and_output_handling

http://www.owasp.org/index.php/Top_10_2007-A1 http://www.owasp.org/index.php/Top_10_2007-A1

For good secure coding practices I would start here and bookmark the site for future reference. 为了获得良好的安全编码实践,我将从这里开始并为网站添加书签以供将来参 http://www.owasp.org/index.php/Top_10_2007 http://www.owasp.org/index.php/Top_10_2007

解决方案5
 0  2009-09-15 16:10:06

I came across this html utility. 我遇到了这个html实用程序。 The code uses a white list of tags that are allowed to be entered. 该代码使用允许输入的白色标签列表。 The script then formats the input text and removes tags and scripts that could be used for cross site scripting attackes. 然后,该脚本将输入文本格式化,并删除可用于跨站点脚本攻击的标记和脚本。

For your purposes you could not have any tags in the white list. 出于您的目的,您在白名单中没有任何标签。

Html utilty Html实用

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Asp.net网格视图复选框到文本框 - Asp.net Grid View Check boxes to Text box 具有可清除值的文本框ASP.Net - Text box with clearable values ASP.Net Asp.net文本框复制和粘贴 - Asp.net Text box Copy & Paste 如何检查页面中是否存在特定的asp.net文本框 - How to check whether a certain asp.net text box exists in a page 如何识别和存储文本框的更改细节,并在asp.net的java脚本中调用它 - How do I identify and store the changed details of a text box and call it in java script in asp.net 如何选中和取消选中复选框,在ASP.NET的GridView中 - How to Check & unchecked a check box In side a GridView of a ASP.NET ASP.Net MVC页的增量组合框/文本框? - Incremental combo box/text box for ASP.Net MVC page? 使用JavaScript的asp.net文本框文本格式验证 - asp.net text box text format validation using JavaScript ASP.NET MVC,在“文本框”旁边显示文本 - ASP.NET MVC, display text just next to the Text Box 复选框选中状态在ASP.NET中出错 - check box checked state getting wrong in ASP.NET
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM