A potentially dangerous Request.Form value was detected from the client

前端 未结 30 2212
刺人心
刺人心 2020-11-21 05:24

Every time a user posts something containing < or > in a page in my web application, I get this exception thrown.

I don\'t want to go

30条回答
  •  栀梦
    栀梦 (楼主)
    2020-11-21 05:47

    Please bear in mind that some .NET controls will automatically HTML encode the output. For instance, setting the .Text property on a TextBox control will automatically encode it. That specifically means converting < into <, > into > and & into &. So be wary of doing this...

    myTextBox.Text = Server.HtmlEncode(myStringFromDatabase); // Pseudo code
    

    However, the .Text property for HyperLink, Literal and Label won't HTML encode things, so wrapping Server.HtmlEncode(); around anything being set on these properties is a must if you want to prevent from being output into your page and subsequently executed.

    Do a little experimenting to see what gets encoded and what doesn't.

提交回复
热议问题