发表新帖
发表新帖

Why label x = txtName.Text; comes under XSS attack and what is the prevention here?

前端 未结
关注
2 895
广开言路
广开言路 2021-02-10 13:04

I have the following code:

label x = txtName.Text;

When the security team analyzed the dll they said it was possible to perform an XSS attack

2条回答
  • 鱼传尺愫
    鱼传尺愫 (楼主)
    2021-02-10 13:11

    I am assuming you are talking about a WebForms Label - it is not clear from the question (post real code!)

    This is a problem with the design of ASP.NET WebForms. Many elements have a property called Text, but the property does different things depending on the element.

    You would hope that setting Text on a control would set its plain textual content. This safe operation is what the name would seem to imply. And that is the case on these controls:

    • TextBox
    • Button
    • ImageButton
    • ListItem

    Unfortunately, on a bunch of other controls, the property of the same name actually sets the HTML markup in the element. So if you have a text string with in it, you get some bold text instead of the letter b in some angle brackets. And if the text has strings such as

 看不清?
提交回复
热议问题