在 ASP.NET MVC 中构建 ActionLink 时是否应该调用 Html.Encode
如果从数据库中提取链接的名称,您是否应该调用 Html.Encode 方法来清理名称?
例如:
Html.ActionLink(Model.PersonFromDB.FirstName,
"Action",
"Controller",
new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
null)
或:
Html.ActionLink(Html.Encode(Model.PersonFromDB.FirstName),
"Action",
"Controller",
new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
null)
您希望执行此操作以确保 和 < 之间没有危险字符串注入到页面中,这是有意义的/code> 标签,但是脚本和此类在锚标签之间可执行吗?
If the name of a link is pulled from the database, should you be calling the Html.Encode method to clean the name?
For example:
Html.ActionLink(Model.PersonFromDB.FirstName,
"Action",
"Controller",
new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
null)
or:
Html.ActionLink(Html.Encode(Model.PersonFromDB.FirstName),
"Action",
"Controller",
new RouteValueDictionary { { "id", Model.PersonFromDB.Id } },
null)
It would make sense that you would want to do this to ensure that there are no dangerous strings injected into the page between <a> and </a> tags, but are scripts and such executable between anchor tags?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
不,因为根据 SO 上的这个线程
HtmlAction.Link()已经对值进行了 HTML 编码,因此您最终会执行两次。No, since according to this thread on SO
HtmlAction.Link()already HTML encodes values, so you'd end up doing it twice.这当然是个好主意,但您可能应该阻止用户输入潜在的恶意字符串作为他们的名字。
It's certainly a good idea, but you should probably be preventing users from entering in potentially malicious strings as their first name.
是的,绝对是。作为一般规则,对于您要输出的任何最初从不受信任的来源获得的 HTML,假设该格式还不是 HTML(并且经过充分审查),您应该始终对字符串进行 HTML 编码,以防止注入攻击。
Yes, absolutely. As a general rule, for any HTML that you are going to output that was originally obtained from an untrusted source, assuming the format wasn't HTML already (and sufficiently vetted), you should always HTML encode the string to protect against injection attacks.