How do you avoid XSS vulnerabilities in ASP.Net (MVC)?

Question

asked Oct 17, 2021 in Technique[技术] by 深蓝 (71.8m points)

I recently noticed that I had a big hole in my application because I had done something like:

<input type="text" value="<%= value%>" />

I know that I should have used Html.Encode, but is there any way to do that for all values, without having to do it explicitly?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

423 views

1 Answer

深蓝 · Answer 1 · 2021-10-17T00:07:06+0000

There's a few ways:

Use the <%: %> syntax in ASP.NET MVC2 / .NET 4.0. (Which is just syntactic sugar for Html.Encode())
Follow the directions laid out by Phil Haack where it details using the Anti-XSS library as the 'default' encoding engine for ASP.NET.