如何从跨站点脚本中清除 ashx url?
[英]How to clean ashx url from cross-site scripting?
问题描述
For example I have a handler MyPage.ashx?parameter=1¶meter=2
例如我有一个处理程序MyPage.ashx?parameter=1¶meter=2
if someone added to the end of the url <script>alert('Test')</script>如果有人添加到 url <script>alert('Test')</script>的末尾
MyPage.ashx?parameter=1¶meter=2<script>alert('Test')</script>
javascript will be executed on client side javascript 将在客户端执行
Is there anyway to clean url from cross-site scripting?无论如何要从跨站点脚本中清除 url 吗?
2 个解决方案
解决方案1
1 2011-06-09 16:12:40
The javascript is only being executed because you are outputting user input raw. javascript 仅被执行,因为您正在输出原始用户输入。
If your ashx needs to output parameters you must encode them suitable.如果您的 ashx 需要 output 参数,您必须对它们进行合适的编码。 Assuming you are creating HTML in your ashx page you need to HtmlEncode the parameter value before you output it.假设您在 ashx 页面中创建 HTML 您需要在 output 之前对参数值进行HtmlEncode 。 There are different encoding methods for particular types, it's hard to tell which needs to be used without more details of the ashx script.特定类型有不同的编码方法,如果没有 ashx 脚本的更多细节,很难判断需要使用哪种编码方法。
解决方案2
0 2011-06-09 14:59:07
Check ASP.NET Request Validation检查ASP.NET 请求验证
In addition to that you should never render request input parameters unescaped or unvalidated back to the client.除此之外,您永远不应该将未转义或未验证的请求输入参数呈现给客户端。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.