zoukankan      html  css  js  c++  java
  • Prevent Cross-Site Scripting (XSS) in ASP.NET Core

    Prevent Cross-Site Scripting (XSS) in ASP.NET Core

    Accessing encoders in code

    The HTML, JavaScript and URL encoders are available to your code in two ways, you can inject them via dependency injection or you can use the default encoders contained in the System.Text.Encodings.Web namespace. If you use the default encoders then any you applied to character ranges to be treated as safe won't take effect - the default encoders use the safest encoding rules possible.

    To use the configurable encoders via DI your constructors should take an HtmlEncoder, JavaScriptEncoder and UrlEncoder parameter as appropriate. For example;

    C#
    public class HomeController : Controller
       {
           HtmlEncoder _htmlEncoder;
           JavaScriptEncoder _javaScriptEncoder;
           UrlEncoder _urlEncoder;
    
           public HomeController(HtmlEncoder htmlEncoder,
                                 JavaScriptEncoder javascriptEncoder,
                                 UrlEncoder urlEncoder)
           {
               _htmlEncoder = htmlEncoder;
               _javaScriptEncoder = javascriptEncoder;
               _urlEncoder = urlEncoder;
           }
       }
    

    Encoding URL Parameters

    If you want to build a URL query string with untrusted input as a value use the UrlEncoder to encode the value. For example,

    C#
    var example = ""Quoted Value with spaces and &"";
       var encodedValue = _urlEncoder.Encode(example);
    

    After encoding the encodedValue variable will contain %22Quoted%20Value%20with%20spaces%20and%20%26%22. Spaces, quotes, punctuation标点符号 and other unsafe characters will be percent encoded to their hexadecimal十六进制 value, for example a space character will become %20.

    Warning

    Don't use untrusted input as part of a URL path. Always pass untrusted input as a query string value.

    [Test]
            public void XssTest()
            {
    
                string input = ""Quoted Value with spaces and &"";
                WriteConsole($"BeforeEncode:{Environment.NewLine}{input}");
    
                var output = UrlEncoder.Default.Encode(input);
                WriteConsole($"UrlEncoder.Encode:{Environment.NewLine}{output}");
    
                output = JavaScriptEncoder.Default.Encode(input);
                WriteConsole($"JavaScriptEncoder.Encode:{Environment.NewLine}{output}");
    
                output = HtmlEncoder.Default.Encode(input);
                WriteConsole($"HtmlEncoder.Encode:{Environment.NewLine}{output}");
    
                output = HttpUtility.HtmlEncode(input);
                WriteConsole($"HttpUtility.HtmlEncode:{Environment.NewLine}{output}");
    
                output = AntiXssEncoder.HtmlEncode(input,false);
                WriteConsole($"AntiXssEncoder.HtmlEncode:{Environment.NewLine}{output}");
            }
    
            private void WriteConsole(string str)
            {
                Console.WriteLine(str);
                Console.WriteLine();
            }

    BeforeEncode:
    "Quoted Value with spaces and &"

    UrlEncoder.Encode:
    %22Quoted%20Value%20with%20spaces%20and%20%26%22

    JavaScriptEncoder.Encode:
    u0022Quoted Value with spaces and u0026u0022

    HtmlEncoder.Encode:
    "Quoted Value with spaces and &"

    HttpUtility.HtmlEncode:
    "Quoted Value with spaces and &"

    AntiXssEncoder.HtmlEncode:
    "Quoted Value with spaces and &"

  • 相关阅读:
    POJ 1236 Network of Schools(强连通分量缩点求根节点和叶子节点的个数)
    文本编辑器vim和gedit
    Ubuntu安装tensorflow
    剑指offer——python【第29题】最小的K个数
    剑指offer——python【第30题】连续子数组的最大和
    剑指offer——python【第37题】数字在排序数组中出现的次数
    剑指offer——python【第28题】数组 中出现次数超过一半的数字
    剑指offer——python【第31题】整数1出现的次数
    剑指offer——python【第54题】字符流中第一个不重复的字符
    剑指offer——python【第40题】数组中只出现一次的数字
  • 原文地址:https://www.cnblogs.com/chucklu/p/12751542.html
Copyright © 2011-2022 走看看