AntiXSS - HtmlAttributeEncode 用法
我试图找出可以使用 HtmlAttributeEncode 的上下文 -
我尝试使用简单的“Hello!”警报脚本被设置为控制属性,因此我可以看到 HtmlAttributeEncode 正在运行 - 但看不到我可以在哪里使用 HtmlAttributeEncode 而不是 HtmlEncode。
因此,例如,我有
- a textbox for user input
//txtuserInput.Text = <script>alert(document.cookie);</script>
- an anchor control to show user input being set as one of its attribute value
In codebehind tried with -
myanchorTag.InnerText = txtuserInput.Text
or
myanchorTag.Id = txtuserInput.Text
但我看不到此脚本正在运行:-(
我已经尝试过 TextBox.Text 属性,但为此我可以使用 HtmlEncode。
任何人都可以指导一下。
谢谢你!
I am trying to figure out the context in which HtmlAttributeEncode could be used -
I tried with simple 'Hello!' alert script to be set as control attribute, so I could see HtmlAttributeEncode in action - but can't see where I can use HtmlAttributeEncode instead of HtmlEncode.
So, for example, I have
- a textbox for user input
//txtuserInput.Text = <script>alert(document.cookie);</script>
- an anchor control to show user input being set as one of its attribute value
In codebehind tried with -
myanchorTag.InnerText = txtuserInput.Text
or
myanchorTag.Id = txtuserInput.Text
But I can't see this script running :-(
I have already tried that for TextBox.Text property but for that I can use HtmlEncode.
Can anyone please guide.
Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
asp:Textbox 控件自动转义 .Text 属性。请参阅http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-08-91-89-96/asp.net_5F00_control_5F00_encoding.htm
您在使用非转义控件和构建原始 html 时应使用 HtmlAttributeEncode。
The asp:Textbox control automatically escapes the .Text property. See http://blogs.msdn.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-08-91-89-96/asp.net_5F00_control_5F00_encoding.htm
You should use HtmlAttributeEncode when using unescaped controls and when building raw html.