当我处理用户输入,特别是脚本问题时,HTML.Encode() 为我提供了什么安全保护?
最佳答案
请查看 Server.HTMLEncode
:
The HTMLEncode method applies HTML encoding to a specified string. This is useful as a quick method of encoding form data and other client request data before using it in your Web application. Encoding data converts potentially unsafe characters to their HTML-encoded equivalent.
If the string to be encoded is not DBCS, HTMLEncode converts characters as follows:
- The less-than character (<) is converted to
<
.- The greater-than character (>) is converted to
>
.- The ampersand character (&) is converted to
&
.- The double-quote character (") is converted to
"
.- Any ASCII code character whose code is greater-than or equal to 0x80 is converted to
&#<number>
, where is the ASCII character value.
这意味着,如果您要将一些数据转储到请求流,并且该数据是从用户输入的字段保存到数据库中的,则会阻止用户说出他们的名字是:
<script type="text/javascript">
function doSomethingEvil() { /* ... */ }
</script>
在本例中,
Server.HTMLEncode
将编码 <
, >
, 和 "
离开这个的字符:<script type="text/javascript">
function doSomethingEvil() { /* ... */ }
</script>
如果在浏览器中呈现,它将如下所示:
<script type="text/javascript"> function doSomethingEvil() { /* ... */ } </script>
而不是实际执行。
关于asp.net - HTML.Encode() - 它是什么/如何防止 ASP .NET 中的脚本安全问题?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/1014593/