ASP.NET MVC 2 - AntiXSS 与内置 MVC 编码
既然 MVC 已经引入了 HTML 编码,那么
<%: blah %>
使用它还有价值吗
<%= AntiXSS.HTMLEncode(blah) %>
?
例如:我的应用程序将获取所有内容(包括 JavaScript)并将其以其原始状态存储在数据库中。我计划简单地使用 <%: model.Name %> 来输出所有内容,并依靠 MVC“东西”为我进行编码。
该方法是否足够安全,足以依赖 AntiXSS,或者我是否需要显式使用 AntiXSS 库?如果我需要使用 AntiXSS 库,请问为什么这种东西不已经内置到 MVC 中?
Now that MVC has introduced HTML Encoding via
<%: blah %>
is there still value in using
<%= AntiXSS.HTMLEncode(blah) %>
instead?
For Example: My application will take all content in (including JavaScript) and store it in it's raw state in the database. I was planning on simply outputting everything using something like <%: model.Name %> and relying on the MVC "stuff" to do the encoding for me.
Is that method secure enough to rely on for AntiXSS, or do I need to explicitly use the AntiXSS Library? If I need to use the AntiXSS Library, can I ask why wouldn't that kind of thing be already built into MVC?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我不认为有任何真正的区别,但如果您真的那么担心,您可以使用 AntiXss 库作为 asp.net 的默认编码器,如 本文。
I don't think there's any real difference, but if you're really that concerned, you can use the AntiXss library as the default encoder for asp.net, as described in this article.
<%:仅使用 HTML 编码。如果您要输出到 HTML 属性、Javascript 或任何适用 HTML 正文规则的空间,那么您仍然需要手动选择编码方法。
<%: only encodes with HTML encoding. If you're outputting to HTML attributes, Javascript or any space where the HTML body rules apply then you will still need to select the encoding method manually.
根据 Phil Haack 的文章: 在 ASP.NET 4(包括 MVC)中使用 AntiXss 作为 ASP.NET 的默认编码器,您可以覆盖默认的 HTML 编码器以使用 AntiXSS 编码器。
反对“AntiXSS.HTMLEncode”的理由
1)简写更容易编码
2) 调用辅助方法(<%:%>/@:/HttpUtility.HtmlEncode/Server.HtmlEncode/etc.)并注入编码器实现使您的代码比特定的 AntiXSS 实现更易于维护。
但是,我相信“AntiXSS.HTMLEncode”是 .NET 版本 << 的唯一选择。 4
Per Phil Haack's article: Using AntiXss as the Default Encoder for ASP.NET in ASP.NET 4 (including MVC), you can override the default HTML encoder to use the AntiXSS encoder.
Reasons against "AntiXSS.HTMLEncode"
1) The shorthand is easier to code
2) Calling the helper method (<%:%>/@:/HttpUtility.HtmlEncode/Server.HtmlEncode/etc.) and injecting the encoder implementation makes your code more maintainable vs. the specific AntiXSS implementation.
However, I believe "AntiXSS.HTMLEncode" is the only option for .NET versions < 4