asp.net - 使用 ascx 作为布局模板
这是我的布局模板(ascx,没有后面的代码)
<%@ Control Language="C#" AutoEventWireup="true" Inherits="ws.helpers.LayoutUC" %>
<div>blah blah blah</div>
<ws:Panel runat="server" ID="left"></ws:Panel>
<ws:Panel runat="server" ID="main"></ws:Panel>
<ws:Panel runat="server" ID="right"></ws:Panel>
模块稍后将添加到 ws:Panel 中。
我还允许我的用户创建他们自己的 ascx 文件来自定义他们的页面布局。因此,我用字符串替换了所有危险部分,例如脚本标记(runat =“server”),所有asp.net html标记,<%,<%@,<#...来自他们的自定义。
我不担心XSS,所以不要评论它,问为什么?
我想知道你对此的想法。安全吗?它具有可扩展性吗?这是标准的还是不好的方法?
This is my layout template (ascx without code behind)
<%@ Control Language="C#" AutoEventWireup="true" Inherits="ws.helpers.LayoutUC" %>
<div>blah blah blah</div>
<ws:Panel runat="server" ID="left"></ws:Panel>
<ws:Panel runat="server" ID="main"></ws:Panel>
<ws:Panel runat="server" ID="right"></ws:Panel>
Modules will be added into ws:Panel later.
I also allow my user create their own ascx file to custom their page layout. And because of this i do a string replace all dangerous part like script tag (runat="server"), all asp.net html tag, <%, <%@, <#.... from their custom.
Im not worry about XSS, so dont comment on it, and ask why?
I want know your thinking about this. Is is safe? Is it scalable? Is it standard or a bad way?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
查看 INaminingContainer 接口 http://msdn .microsoft.com/en-us/library/system.web.ui.inamingcontainer.aspx。
在用户的 .ascx 中,他们注册您的控件并将 asp.net 代码插入到属性中。在“YourControl”类中,您创建占位符并将设置为特定属性的标记插入到这些占位符中。 (例如
和
之间的所有内容都将插入到Edit 中:我总结了一些 TemplateContainer 问题并将其发布在这里:http://www.tomot.de/en-us/article/2/asp.net/how-to-create-an-asp.net -通过标记控制行为作为模板容器到嵌套内容
Have a look at the INaminingContainer Interface http://msdn.microsoft.com/en-us/library/system.web.ui.inamingcontainer.aspx.
In the .ascx from the users, they register your control and insert asp.net code into properties. In the 'YourControl' class you create placeholders and insert the markup set to a specific property into these placeholders. (e.g. everything between
<LeftColumn> and </LeftColumn>
will the inserted intoEdit: I summed some of the TemplateContainer issue up and posted it here: http://www.tomot.de/en-us/article/2/asp.net/how-to-create-an-asp.net-control-that-behaves-as-a-template-container-to-nest-content-via-markup
您允许用户上传内容;这本质上是不安全的,并且有整本书专门介绍最佳实践。无论如何,只要你确保清理输入,它就可以扩展吗?您允许在您的网站上创建用户上传的文件。会有多少个?有多少用户?负载均衡怎么样?此解决方案无法针对许多用户、文件或服务器进行扩展。
听起来您正在尝试创建一个简单的 CMS。为什么不使用当前存在的解决方案,或采用开源解决方案的一部分?
You are allowing user-uploaded content; this is inherently unsafe and there are whole books dedicated to best practices. Given that you are doing it anyway, as long as you make sure you scrub the input, is it scalable? You are allowing creation of user-uploaded files on your site. How many will there be? How many users? What about load-balancing? This solution will not scale for many users, files, or servers.
It sounds like you are trying to create a simple CMS. Why not use one that exists currently, or adopt parts of an open source solution?