handle javascript injection in asp.net mvc

|▌冷眼眸甩不掉的悲伤 提交于 2019-12-02 00:39:12

问题


How can we handle the javascript injection in asp.net mvc (C#) application?

I can use Html.Encode in my View. But the problem is i have html also to show in the page like a blog post.

I need to remove the script entered in the input elements of the application? How can i do that in a common place?


回答1:


The "high-level" best practice for doing this is:

  • Store user-input the way it was entered into the system
  • HTML encode all user-input when it is output on any page
  • Use a white-list approach to "de-encode" allowed HTML characters, attributes, attribute values, etc. that you encoded in the previous step

HTML Encoding user-input on output will stop JavaScript from being executed on your site.

The reasons why you want to store user-input "as entered" is because you may in the future decide to output user data in other formats (PDF, email, JavaScript, RSS, etc) that don't have the same rules for encoding. As a result, you should keep data as close to its original form as possible. This will make things easier to deal with later.

For HTML Encoding user-input, you can use System.Web.HttpUtility.HtmlEncode(...).

To combine steps 2 & 3, you can use Microsoft's AntiXSS library. It provides some extra encoding methods that the HttpUtility class doesn't provide to make your job easier. I was unaware until Malcolm pointed out in the comments, that the latest version of this library includes a method called GetSafeHtmlFragment(...) which will remove all JavaScript manually. This will handle all of the heavy lifting of removing user-entered JavaScript code for you. You will most likely want to use GetSafeHtmlFragment and not GetSafeHtml, which is designed to encode entire HTML documents.

Minor note: Read the reviews of the latest AntiXss release (January 2012 at the time of writing this) if you find functionality is not working as you expect. You may want to consider using an older release depending on your needs, though be advised that older releases have known security defects in them. Microsoft has acknowledged the issue and is looking into a solution.



来源:https://stackoverflow.com/questions/2212223/handle-javascript-injection-in-asp-net-mvc

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!