我的标记中有这个:
<asp:DropDownList ID="ddlSalutation" runat="server">
<asp:ListItem Text="Please chose" Value="" />
<asp:ListItem Text="Mr" Value="Mr"></asp:ListItem>
<asp:ListItem Text="Mrs" Value="Mrs"></asp:ListItem>
</asp:DropDownList>
在 CS 中我使用:
string value = ddlSalutation.SelectedValue;
// ... save value
黑客是否有可能从客户端更改 DropDownList 并将错误的选定值发送到服务器? SelectedValue 可以有不同于“Mr”或“Mrs”的值吗?
最佳答案
谢登,
根据这篇文章:
Actually you should be able to assume that the dropdown list options have not been changed client side as long as the page has EnableEventValidation = true (which is default although you can disable it per page or in the web.config). If a new value is added to your dropdownlist client side, and a postback occurs an error will occur unless you register this new value for event validation (http://odetocode.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx)
你肯定没问题。如果您禁用 EnableEventValidation,您应该能够手动验证如下(在 MVC 中编写):
public ActionResult PageOfGlory(){
string value = Request.Form["dllSalutation"];
string[] validSalutations = new string[]{
"Mr",
"Ms"
};
if(!validSalutations.Contains(value)){
ModelState.AddModelError("","Invalid Salutation");
return View();
}
//Add stuff to database
}
希望对您有所帮助!
卢卡斯
关于c# - ASP.NET DropDownList 中的 XSS 可能吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38543414/