在 ASP.Net 中处理尖括号
目前,当尝试提交包含下拉菜单的交易时,该下拉菜单的文本包含尖括号,例如 ",自 ValidateRequest=true 以来,我收到 500 内部服务器错误默认情况下,由于跨站点脚本问题,它会在到达页面处理程序之前抛出未处理的异常。
有没有办法拦截和修改 HttpModule 或 Glabal.asax 中的请求对象,因为我知道 Request 对象是只读的。
我已经绞尽脑汁了近三天,但无法得到具体的解决方案。 处理此类情况的最佳解决方案是什么?我也不想在客户端对其进行编码。
Currently when trying to submit transaction that contain dropdown that has text containg angular bracket as e.g. "<abcd>", I'm getting 500 internal server error since ValidateRequest=true by default and throws unhandled exception before it reached to page handler since its Cross site scripting problem.
Is there a way to intercept and modify request object in HttpModule or Glabal.asax since I know Request object is readonly.
I've been breaking head for almost three days but not able to get a concrete solution.
What would be the best solution to handle these kind of scenarios. Also I don't want to encode it in client side.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
对列表框中的值进行编码:[编辑] 我意识到我的解决方案不适用。内容可能是由浏览器编码发送的,并且也由下拉列表呈现编码(如果您使用标准数据绑定)。我认为您唯一的选择是禁用请求的验证。
这意味着您必须非常小心用户输入。简单来说,使用 HttpUtility.HtmlEncode(txtXX.Text); 对每个用户输入进行编码。
有关详细信息,请参阅 MSDN 的脚本利用概述页面。
Encode the value in the listbox :[Edit] I realize my solution does not apply. The content is probably sent encoded by the browser, and is render encoded too by the drop down list (if you use standard databinding). I think your only option is to disable the validation of the request.
This implies you have to very careful on user input. To be simple, Encode every user input with
HttpUtility.HtmlEncode(txtXX.Text);.More on this in the Script Exploits Overview page of MSDN.
使用 HttpUtility.HtmlEncode 和 HttpUtility.HtmlDecode 来解决这个问题..
您可以将 html 编码文本放入控件中或根据您的要求使用这些方法(在事件之间)
遵循这些 SO 线程...
HttpUtility.HtmlEncode 来验证用户条目
asp.net 中的 w3c 验证错误
如果您可以禁用验证,请按照以下步骤操作< br>
asp.net:无效的回发或回调参数
检查MSDN中的脚本漏洞
Use HttpUtility.HtmlEncode and HttpUtility.HtmlDecode to solve this problem..
you can put html encoded text in the control or use these methods as per your requirement( Between Events)
Follow these SO thread...
HttpUtility.HtmlEncode to validate user entries
w3c validation error in asp.net
If you can disable validation then follow these
asp.net: Invalid postback or callback argument
Check MSDN for Script Exploits
我更喜欢使用 Microsoft 反跨站脚本库 V4.0 因为它提供了许多辅助函数来编码 HTML、HtmlAttribute、JavaScript、URL、XML,以限制任何跨站点攻击。
I prefer to use Microsoft Anti-Cross Site Scripting Library V4.0 as it provides many helper functions to encode HTML, HtmlAttribute, JavaScript, URL, XML to restrict any cross site attacks.