问题
I have a literal control being used to display HTML coming from DB. I did face some XSS issues and implemented Anti-XSS Security Runtime Engine (SRE) to automatically encode all html markup. e.g.
DB : <p align="center"></p>
Anti-XSS encodes it as :
<p align="center"> </p>
However, when I am setting text property of literal content from code behind, I was expecting that the literal control will DECODE the proper html and display the rendered version. Instead, it is showing the ENCODED version.
Thus literal control displays - <p align="center"></p> postrender. I understand it is Anti-xss in action but how can I get the literal control to show the rendered HTML instead of markup?
ASPX - <asp:Literal ID="ltPageContent" runat="server"></asp:Literal>
Code behind on page load - ltPageContent.Text = getPageContent("home")'Gets HTML from DB
Am I missing something simple here?
回答1:
Without considering XSS risks, you may forget LiteralControl here and use inline codes instead:
ASPX:
<%= Server.HtmlDecode(YOUR_STRING) %>
回答2:
You can also use the "Mode" property with a value of "PassThrough":
<asp:Literal ID="ltPageContent" runat="server" Text="Html Here"
Mode="PassThrough" />
I do advise to check for XSS before data is passed here though.
来源:https://stackoverflow.com/questions/7695148/html-encoding-issue-in-asp-net