发表新帖
发表新帖

To HTMLENCODE or not to HTMLENCODE user input on web form (asp.net vb)

前端 未结
关注
2 886
野性不改
野性不改 2021-01-28 08:55

I have many params making up an insert form for example:

x.Parameters.AddWithValue(\"@city\", City.Text)

I had a failed xss attack on the site

2条回答
  • 心在旅途
    心在旅途 (楼主)
    2021-01-28 09:20

    Don't encode input. Do encode output. At some point in the future, you might decide you want to use the same data to produce PDF or a Word document (or something else), at which point you won't want it to be HTML.

    When you are accepting data, it is just data.

    When you are inserting data into a database, it needs to be converted to make sense for the database.

    When you are inserting data into an HTML document, it needs to be converted to make sense for HTML.

    … and so on.

    0 讨论(0)
 看不清?
提交回复
热议问题