htmltextwriter and cross site scripting

前端未结

关注

 2  983

心在旅途 2021-01-24 09:44

Just a quick question I was asked to go through a vb app and fix all the places where cross site scripting could happen. I changed the <%= to <%: and everywhere they we

2条回答

心在旅途 (楼主)

2021-01-24 09:48

just tried it sadly it does not protect you from cross site scripting I made an aspx page and in the code behind I put

 protected void Page_Load(object sender, EventArgs e)
    {
        StringWriter stringWriter = new StringWriter();
        using (HtmlTextWriter writer = new HtmlTextWriter(stringWriter)) {
            writer.RenderBeginTag(HtmlTextWriterTag.Label);
            writer.Write(
            " < script > alert('.Net and the Terrible, Horrible, No Good, Very Bad Script'); ");                   
            writer.RenderEndTag();
        }
        Response.Write(stringWriter);
    }

I ran the page and the javascript alert popped up so I guess htmltextwriter doesn't protect you from cross site scipting

0 讨论(0)

查看其它2个回答