ASP.NET文本框中的“ <”->如何允许它?
[英]“<” in a text box in ASP.NET --> how to allow it?
问题描述
I have a textfield which displays a string which contains < and >. 
我有一个文本字段,其中显示包含<和>的字符串。 The code throws an error because of that. 因此,代码将引发错误。 How can I allow the usage of those chars in my textfield? 如何允许在文本字段中使用这些字符?
Thanks :) 谢谢 :)
7 个解决方案
解决方案1
22 已采纳 2010-11-10 16:10:51
Problem is that when this gets posted to server, it will not work, doesn't matter what you try. 问题是,将其发布到服务器后,它将不起作用,与您尝试执行的操作无关。 This is the ASP.NET XSS protection, which can be disabled like so: 这是ASP.NET XSS保护,可以像这样禁用它:
<%@ Page ... ValidateRequest="false" %>
Trouble is, you'll have to be very careful validating all the postback yourself. 麻烦的是,您必须非常仔细地亲自验证所有回发。 Easier way is to escape all the contents of textbox using javascript just before posting. 一种更简单的方法是在发布之前使用javascript转义文本框的所有内容。 You can escape it using same HTML escaping, then unescape in server side code. 您可以使用相同的HTML转义符对其进行转义,然后在服务器端代码中进行转义。
Update: Example of escaping. 更新:转义示例。 This will flash the changed text on screen before postback - ideal solution is to use a hidden field for this, ie assign value to a hidden field, instead of that same field. 这将在回发之前在屏幕上闪烁更改的文本-理想的解决方案是为此使用隐藏字段,即为隐藏字段(而不是同一字段)分配值。 This is the simplest version: 这是最简单的版本:
<script>
function EscapeField(){
document.getElementById("your client control ID").value =
escape(document.getElementById("your client control ID").value);
}
</script>
And in code-behind: 并在代码背后:
this.ClientScript.RegisterOnSubmitStatement(this.GetType(),
"EscapeField", "EscapeField();")
Update: Again, warning - if you save HTML in your database like this, and then just display it to the client, you are directly vulnerable to XSS attacks. 更新:再次警告-如果您这样将HTML保存在数据库中,然后仅将其显示给客户端,则您很容易受到XSS攻击。 There are worms out there that will find and exploit your web site. 那里有蠕虫可以找到并利用您的网站。 Make sure you cleanse the HTML you are getting. 确保您清理得到的HTML。
解决方案2
8 2010-11-10 15:58:04
If you're in an asp.net page, you can wrap the whole of the output text in a Server.HtmlEncode("YourTextWith<and>Characters") 如果您位于asp.net页面,则可以将整个输出文本包装在Server.HtmlEncode("YourTextWith<and>Characters")
function and it will encode any dodgy characters for you. 功能,它将为您编码任何狡猾的字符。
If, for some reason, you're doing this in a .cs file, you can use System.Web.HttpUtility.HtmlEncode("YourTextWith<and>Characters") 如果出于某种原因在.cs文件中执行此操作,则可以使用System.Web.HttpUtility.HtmlEncode("YourTextWith<and>Characters")
before passing it to the presentation layer. 在将其传递到表示层之前。
解决方案3
4 2010-11-10 15:53:43
Convert them to < 将它们转换为< and > 和> . 。 In Html, < 在HTML中, < is converted to < and > 转换为<和> is converted to > without it thinking it's part of the markup. 转换为>而没有想到它是标记的一部分。 So the string <Blah> will be <Blah> 因此字符串<Blah>将是<Blah> . 。
Edit : I forgot, to automatically convert them and escape all HTML characters (so this isn't an issue for other things), in Asp.net you can use Server.HtmlEncode(string) to automatically convert all characters that could cause issues to their HTML equivalent. 编辑 :我忘了自动转换它们并转义所有HTML字符(因此这不是其他问题),在Asp.net中,您可以使用Server.HtmlEncode(string)自动转换所有可能引起问题的字符他们的HTML等价物。
解决方案4
2 2011-11-15 10:24:07
The easiest solution is to disable request validation in single pages 最简单的解决方案是在单个页面中禁用请求验证
<%@ Page ... ValidateRequest="false" %>
but don't forget to enable requestValidationMode="2.0" 但不要忘记启用requestValidationMode =“ 2.0”
<system.web>
...
<httpRuntime requestValidationMode="2.0" />
</system.web>
This solution could espose some threats. 此解决方案可能会带来一些威胁。
Another smart solution is to replace via javascript text written by user to make it safe for validation: <tag> is considere dangerous, but < tag> is considered safe! 另一个聪明的解决方案是通过用户编写的javascript文本替换它,以确保验证安全: <tag>被认为是危险的,但是< tag>被认为是安全的!
A javascript replacement can solve the problem. javascript替换可以解决问题。
function validateTxt() {
$("textarea, input[type='text']").change(function () {
html = $(this).val(); //get the value
//.replace("a" , "b") works only on first occurrence of "a"
html = html.replace(/< /g, "<"); //before: if there's space after < remove
html = html.replace(/</g, "< "); // add space after <
$(this).val(html); //set new value
});
}
$(document).ready(function () {
validateTxt();
});
解决方案5
0 2013-10-02 06:44:17
your problem is,you cannot use html tags in .net controls. 您的问题是,您不能在.net控件中使用html标记。 so set the ValidateRequest="false" in your aspx page and encode the text before you saving the text. 因此,请在aspx页面中设置ValidateRequest =“ false”并在保存文本之前对文本进行编码。
//encode
private string Encode(string text)
{
byte[] encodedText = System.Text.Encoding.UTF8.GetBytes(text);
return System.Convert.ToBase64String(encodedText);
}
when you retrieving your text make sure to decode the encoded text. 检索文本时,请确保对编码后的文本进行解码。
// Decode:
private string Decode(string encodedText)
{
byte[] decodedText = System.Convert.FromBase64String(encodedText);
return System.Text.Encoding.UTF8.GetString(decodedText );
}
解决方案6
0 2010-11-10 15:56:04
<asp:TextBox ID="TextBox1" runat="server"><</asp:TextBox>
我不知道您的问题是否与此有关,或者您是否遇到validateRequest问题
解决方案7
0 2010-11-10 16:00:26
You can either use the TextBox.Text property which will HTML-encode whatever you enter 您可以使用TextBox.Text属性对输入的内容进行HTML编码
<asp:TextBox ID="TextBox1" runat="server" Text="<>"></asp:TextBox>
or you can enter the html names for < and > . 或者,您可以输入<和>的html名称。
<asp:TextBox ID="TextBox1" runat="server"><</asp:TextBox>
or you can enter the html codes 或者您可以输入html代码
<asp:TextBox ID="TextBox1" runat="server"><</asp:TextBox>
for the name and code conversions, check out this chart. 有关名称和代码的转换,请查看此图表。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.