我想要的是,我想阻止用户输入无效代码,如 hi<script>alert('1')</script>或其他攻击者可以插入的无效字符。
为此,我使用
尝试了以下代码[HttpPost]
[ValidateInput(false)]
public JsonResult InitiateWFfttx(string FSAID, string CREATEDBY, string MZONECODE, string MZONENAME, double COMLEG, double UGLEG, double ARLEG, double MDULEG, int STATUSID, string HOTOOFFERDATE, string REMARK, double HOTOOFFERLEG, int UMSGROUPIDBY, string UMSGROUPNAMEBY, int UMSGROUPIDTO, string UMSGROUPNAMETO, string SPANTYPE)
{
string strMessage = "";
string Message = "";
string msg = "";
try
{
string strRemarks = "";
strRemarks = Sanitizer.GetSafeHtmlFragment(Convert.ToString(REMARK)); // here it is by passing the invalid character
if (strRemarks != "")
{
CTManagement ObjCTMang = new CTManagement();
ApplicationLog.Trace("Info", "Initated the process", UMSGROUPNAMEBY, CREATEDBY);
Message = ObjCTMang.InitiateWorkflow_Fttx(FSAID, CREATEDBY, MZONECODE, MZONENAME, COMLEG, UGLEG, ARLEG, MDULEG, STATUSID, HOTOOFFERDATE, REMARK, HOTOOFFERLEG, UMSGROUPIDBY, UMSGROUPNAMEBY, UMSGROUPIDTO, UMSGROUPNAMETO, SPANTYPE);
string state = Message.Split('|')[0];
string req_id = Message.Split('|')[1];
if (state == "SUCCESS")
{
//Code commented for optimizing the Job createing response by Jyotir
//SendEmail(CREATEDBY, UMSGROUPIDTO, UMSGROUPNAMETO, UMSGROUPNAMEBY, "NEW", req_id, SPANTYPE, R4GState, MZONECODE, REMARK, SPANTYPE == "INTERCITY" ? SPANID : LINKID);
ApplicationLog.Trace("Info", "Sucessfully generated Request Id: " + req_id, UMSGROUPNAMEBY, CREATEDBY);
}
}
else
{
Message = "ERROR|Invalid text not allowed in Remarks";
}
strMessage = JsonConvert.SerializeObject(Message);
}
catch (Exception ex)
{
if (Message.Length > 0)
{
msg = Message.Split('|')[1];
}
else
{
msg = ex.Message;
}
//ErrorLog.HandleErrorLog(CREATEDBY, SPANID, "InitiateWF", msg);
/*
* Error(string LogType, string functionname, string msg)
*/
ApplicationLog.Error("Error", "InitiateWFfttx", msg);
}
return Json(strMessage);
}
请建议如何对此进行编码。
strRemarks = Sanitizer.GetSafeHtmlFragment(Convert.ToString(REMARK));这里它绕过了 html 片段。
最佳答案
这是 Sanitizer 的工作原理
string REMARK = "hi<script>alert('1')</script>";
string strRemarks = Sanitizer.GetSafeHtmlFragment(Convert.ToString(REMARK));
Console.WriteLine("Sanitizer output:" + strRemarks);
这将正确显示 hi 作为输出。为什么?因为 sanitizer 会完全删除除 html 标签之外的所有内容。
script 标签肯定是个问题,因为大多数 xss 攻击都是从注入(inject)某种 javascript 开始的。
为了使您的代码工作,将您的 if 更改为
if (strRemarks.Equals(REMARKS))
关于javascript - GetSafeHtmlFragment 仍未按预期工作以停止 c# 中的跨站点脚本,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59386639/