如何允许用户输入html注释

发布于 2024-12-15 01:50:45 字数 644 浏览 4 评论 0原文

使用 MVC、EF 4.2。我正在开发一个有评论部分的应用程序。现在，如果用户输入包含 HTML（例如）的评论

<b>text</b>

并点击“提交”，我会收到消息 “检测到潜在危险的Request.Form值...”

我如何处理进入数据库的html？我应该去掉html吗？或者编码？我尝试了 server.htmlencode 文本，但仍然有相同的错误消息。

我读过很多关于此事的帖子，包括一些在这里的SO - 这个和这个

理想情况下，我希望能够允许有限数量的 html 标签，例如 em Strong、a。 Anti-XSS、HTML Agility、某种 BB 代码或 Markdown 样式编辑器仍然是推荐的方法吗？我知道杰夫有一段白名单代码 - 但它已经有几年了。

原文

Using MVC, EF 4.2. I am working on an application that has a comment section. Right now if a user enters a comment that contains HTML e.g.

<b>text</b>

and hits submit i get the message
"A ptentially dangerous Request.Form value was detected..."

How do i handle html on the way into the db? Should I just strip the html? Or encode it? I tried server.htmlencode the text but i still had the same error message.

I have read a number of posts on the matter including some here at SO - this one and this one

Ideally, i'd like to be able to allow a limited number of html tags such as em strong, a. Would Anti-XSS, HTML Agility, some kind of BB code, or a markdown style editor still be the recommended way? I know Jeff has a whitelist bit of code - however it is few yrs old.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

oО清风挽发oО 2024-12-22 01:50:45

你可以这样做

[ValidateInput(false)]
public ActionResult foo()
{
}

，或者你可以用 AllowHtml 装饰模型属性

   public class Foo
    {
        [AllowHtml]
        public string bar{ get; set; }
    }

you can do

[ValidateInput(false)]
public ActionResult foo()
{
}

or you can decorate the model property with AllowHtml

   public class Foo
    {
        [AllowHtml]
        public string bar{ get; set; }
    }

回复收藏 0 原文

寒尘 2024-12-22 01:50:45

您可能还需要在 web.config 中设置 requestValidationMode：

</system.web>
  <httpRuntime requestValidationMode="2.0" />
</system.web>

请参阅此链接了解更多详情。

You may also need to set the requestValidationMode in your web.config:

</system.web>
  <httpRuntime requestValidationMode="2.0" />
</system.web>

See this link for more details.

回复收藏 0 原文

垂暮老矣 2024-12-22 01:50:45

MVC 有一个属性，允许您指定一个属性应该允许 html，而无需完全禁用验证。它仍然很危险，但可以仅限于单一财产，因此可以减轻风险。这是 MSDN 文章对于AllowHtmlAttribute。该属性的正确用法应该是在模型中装饰适当的属性：

public class MyModel
{
    public MyModel()
    {

    }

    // Some other stuff in here

    [AllowHtml]
    [HttpPost]
    public string MyHtmlString { get; set; }

}

MVC has an attribute that allows you to specify a property should allow html without disabling validation completely. It's still dangerous, but it can be limited to a single property so the risk can be mitigated. Here is the MSDN article for the AllowHtmlAttribute. Proper usage of the attribute should be to decorate the appropriate property in your model:

public class MyModel
{
    public MyModel()
    {

    }

    // Some other stuff in here

    [AllowHtml]
    [HttpPost]
    public string MyHtmlString { get; set; }

}

回复收藏 0 原文