为控制器动作参数创建过滤器属性防XSS攻击
我有一个像这样的简单控制器:
[CustomFilter()]
public ActionResult Index( int? page ) {
return View();
}
public class CustomFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting( ActionExecutingContext filterContext ) {
base.OnActionExecuting( filterContext );
}
public override void OnActionExecuted( ActionExecutedContext filterContext ) {
base.OnActionExecuted( filterContext );
}
}
在主页(ASPX)中,如果我输入 http://localhost/home/index?page=
如何为此类攻击创建自定义过滤器并返回上一页而不显示红色页面(有错误)? 还是不可能?
I have a simple controller like that:
[CustomFilter()]
public ActionResult Index( int? page ) {
return View();
}
public class CustomFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting( ActionExecutingContext filterContext ) {
base.OnActionExecuting( filterContext );
}
public override void OnActionExecuted( ActionExecutedContext filterContext ) {
base.OnActionExecuted( filterContext );
}
}
In main page (ASPX), if I type http://localhost/home/index?page=<script> (is an example of XSS, I guess) instead of http://localhost/home/index?page=7 then the red page will appear (because in Visual studio I've installed AntiXSS addon).
How to create a custom filter for this type of attack and return the previous page without showing red page (with error) ?
Or is not possible ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不,过滤器永远不会被调用。您可以在
Application_Error中执行类似的操作检查此问题:ASP.NET MVC 应用程序自定义错误页面未在共享托管环境中显示
查看问题和答案。
No, the filter will never be called. you can do something similar in
Application_ErrorCheck this question:ASP.NET MVC app custom error pages not displaying in shared hosting environment
look at the question and the answer.