内部站点是否需要使用 Html.Encode?
我在 Html.Encode
方面遇到一些问题,并且用户想要使用特殊字符。首先,字符被html代码替换,因此无法正常显示。然后,如果稍后编辑并重新提交文本,则重新提交这些 html 代码时会抛出异常。
鉴于这是一个 Intranet 站点,并且蓄意攻击的可能性几乎不存在,那么不使用 Html.Encode
真的有任何风险吗?是否有可能有人无意中提交了一些特殊字符而导致问题?
或者有更好的方法解决这个问题吗?
I'm having some problems with Html.Encode
and users wanting to use special characters. Firstly the characters are replaced by the html codes and so are not displayed properly. And then, if the text is later edited and re-submitted, an exception is thrown when these html codes are re-submitted.
Given that this is an intranet site and the possibility of a deliberate attack is almost non-existant, is there really any risk to not using Html.Encode
? Is there any possiblity that someone would inadvertently submit some special characters which cause problems?
Or is there a better way around this problem?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
。您是双重编码。您实际上希望 Html.Encode 来显示用户输入的 HTML 标签。除非您确实希望像
这样的内容成为项目符号列表而不是显示标签。
无论您为允许最初提交这些内容做了什么,都将有助于允许编辑。同样,也许由于双重编码,您会遇到进一步的问题。
在内心深处,您已经知道看待安全的方式是错误的;)
You are double encoding. You actually want to Html.Encode to display the HTML tags the user entered at all. Unless you actually want things like
<ul><li>
to be a bullet list instead of showing the tags.Whatever you did to allow the initial submission of those, will work to allow edit. Again, maybe because of the double encoding, you are getting into further issues.
Deep down You already know that way of seeing security is wrong ;)
是的,是的,再次是的。有人在输入字段中输入特殊字符总是存在风险。 Web 开发的黄金法则是永远不要信任用户输入,并且始终对可能来自用户输入的任何内容进行编码。
Yes, yes and yes again. There's always a risk by someone entering special characters in input fields. The golden rule of web development is never trust user input and always encode anything that might come from an user input.
检查您调用 Html.Encode 的所有位置,因为听起来您正在对字符串进行双重编码(可能在保存和显示时进行编码,或者在模板/部分上进行编码并再次进行编码)。
是的,即使它是内部的,也要始终对您的字符串进行编码,否则一名心怀不满的员工可能会造成一些严重的损害。
Check everywhere you are calling Html.Encode as it sounds like you're double encoding your strings (possibly encoding on save and on display or encoding on a template/partial and encoding that again).
And yes always encode your strings even if it's internal, otherwise one disgruntled employee could cause some serious damage.