如果我有一个用户将数据输入富文本编辑器(微型编辑器)并提交我存储到数据库中的数据,然后检索以显示在其他动态网页上,为什么我需要在这里编码。
是因为有人可能将 javascript 粘贴到富文本编辑器中的唯一原因吗?还有其他原因吗?
最佳答案
安全是原因。
最明显/常见的原因是 Cross-Site-Scripting (XSS)。事实证明,这可能是您在站点中看到的安全问题的根本原因。
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007.1 Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner.
此外,如下面的评论所示,您网站的布局也可能被搞砸。
您需要 Microsoft Anti-Cross Site Scripting Library
更多资源
http://forums.asp.net/t/1223756.aspx
关于asp.net-mvc - 为什么我需要做 html.encode(),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/2914871/