Does ASP.NET MVC 4 require extra XSS handling by default

前端 未结 1 799
故里飘歌
故里飘歌 2021-02-13 16:21

ASP.NET MVC 4 by default ignores HTML input in a post message. If I don\'t explicitly accept HTML, is there any code I need to write to defend my site against XSS attacks? I won

1条回答
  •  暖寄归人
    2021-02-13 16:47

    I found an excellent blog post by Amir Ismail that addresses all of your concerns. http://miroprocessordev.blogspot.com/2012/03/save-aspnet-mvc-application-against.html

    To summarize what he writes. Razor is encoded default unless Html.Raw is used. Html.AntiForgeryToken() can be used to create a random token that will protect against CSRF however it requires the user to accept cookies.

    0 讨论(0)
提交回复
热议问题