在asp.net mvc中处理javascript注入
[英]handle javascript injection in asp.net mvc
问题描述
How can we handle the javascript injection in asp.net mvc (C#) application? 
我们如何在asp.net mvc(C#)应用程序中处理javascript注入?
I can use Html.Encode in my View. 我可以在我的视图中使用Html.Encode。 But the problem is i have html also to show in the page like a blog post. 但问题是我有html也在页面中显示像博客文章。
I need to remove the script entered in the input elements of the application? 我需要删除在应用程序的输入元素中输入的脚本吗? How can i do that in a common place? 我怎么能在一个共同的地方做到这一点?
1 个解决方案
解决方案1
9 已采纳 2010-02-06 06:10:09
The "high-level" best practice for doing this is: 这样做的“高级”最佳实践是:
- Store user-input the way it was entered into the system 将用户输入存储为输入系统的方式
- HTML encode all user-input when it is output on any page HTML在任何页面上输出时对所有用户输入进行编码
- Use a white-list approach to "de-encode" allowed HTML characters, attributes, attribute values, etc. that you encoded in the previous step 使用白名单方法“解码”您在上一步中编码的允许的HTML字符,属性,属性值等
HTML Encoding user-input on output will stop JavaScript from being executed on your site. 输出上的HTML编码用户输入将阻止JavaScript在您的站点上执行。
The reasons why you want to store user-input "as entered" is because you may in the future decide to output user data in other formats (PDF, email, JavaScript, RSS, etc) that don't have the same rules for encoding. 您希望将用户输入存储为“已输入”的原因是因为您将来可能决定输出其他格式(PDF,电子邮件,JavaScript,RSS等)的用户数据,这些格式不具有相同的编码规则。 As a result, you should keep data as close to its original form as possible. 因此,您应该尽可能保持数据尽可能接近原始格式。 This will make things easier to deal with later. 这将使以后更容易处理。
For HTML Encoding user-input, you can use System.Web.HttpUtility.HtmlEncode(...) . 对于HTML编码用户输入,您可以使用System.Web.HttpUtility.HtmlEncode(...) 。
To combine steps 2 & 3, you can use Microsoft's AntiXSS library . 要结合步骤2和3,您可以使用Microsoft的AntiXSS库 。 It provides some extra encoding methods that the HttpUtility class doesn't provide to make your job easier. 它提供了一些额外的编码方法,HttpUtility类没有提供这些方法来使您的工作更轻松。 I was unaware until Malcolm pointed out in the comments, that the latest version of this library includes a method called GetSafeHtmlFragment(...) which will remove all JavaScript manually. 直到Malcolm在评论中指出,我才意识到这个库的最新版本包含一个名为GetSafeHtmlFragment(...)的方法,它将手动删除所有JavaScript。 This will handle all of the heavy lifting of removing user-entered JavaScript code for you. 这将解决为您删除用户输入的JavaScript代码的所有繁重工作。 You will most likely want to use GetSafeHtmlFragment and not GetSafeHtml , which is designed to encode entire HTML documents. 您很可能希望使用GetSafeHtmlFragment而不是 GetSafeHtml ,它用于编码整个HTML文档。
Minor note: Read the reviews of the latest AntiXss release (January 2012 at the time of writing this) if you find functionality is not working as you expect. 次要注意事项:如果您发现功能无法正常工作,请阅读最新的AntiXss版本(撰写本文时的2012年1月)的评论。 You may want to consider using an older release depending on your needs, though be advised that older releases have known security defects in them. 您可能需要考虑使用较旧的版本,具体取决于您的需求,但请注意旧版本中存在已知的安全缺陷。 Microsoft has acknowledged the issue and is looking into a solution. 微软已经承认了这个问题并正在寻找解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.