问题描述

我们正在处理一些问题XSS在我们的ASP.NET MVC项目之一。我发现了两个问题 - 第一个与我们的请求验证的模式做。然后攻击者可以利用这个安全漏洞砸在我们的数据库中的一些不好的内容。

We are currently dealing with some XSS issues on one of our ASP.NET MVC projects. I found two issues - the first one has to do with our request validation pattern. The attacker could now use this security hole to drop some bad content in our database.

第二个问题是我们如何显示这些内容，我们用Html.DisplayTextFor方法，它似乎是破。

The second issue is how we display this content and we use the Html.DisplayTextFor method and it seems to be "broken".

只要创建一个新的MVC Web应用程序3，把这个HomeController的：

Just create a new MVC 3 WebApp, put this in the HomeController:

public class HomeController : Controller
{
    public ActionResult Index()
    {
        ViewBag.Message = "<SCRIPT/XSS SRC=\"htpp://ha.ckers.org/css.js\">";

        User foo = new User();
        foo.Name = "<SCRIPT/XSS SRC=\"htpp://ha.ckers.org/css.js\">";

        return View(bla);
    }

    public ActionResult About()
    {
        return View();
    }
}

public class User
{
    public string Name { get; set; }
}

视图：

@Html.TextBoxFor(m => m.Name) <br/> ||| <-- will be encoded

@Html.Encode(ViewBag.Message)<br/> ||| <-- will be double encoded

@Model.Name <br/> ||| <-- will be encoded

@Html.DisplayTextFor(m => m.Name) <-- no encoding
<br/> |||

在DisplayTextFor的输出将是整个字符串＆LT;脚本XSS =SRC =HTPP：//ha.ckers.org/css.js＆GT;

问题是：错误，功能还是我用错了

Question is: Bug, feature or am I using it wrong?

推荐答案

Html.DisplayTextFor 是真正为交互的 [DisplayFormat] 属性（请参阅MSDN ）。

Html.DisplayTextFor is really for interacting with the [DisplayFormat] attribute (see MSDN).

编辑：看起来像HtmlEn code属性实际上并不DataAnnotationsModelMetadataProvider（和DisplayTextFor）执行

Looks like the HtmlEncode property isn't actually enforced by DataAnnotationsModelMetadataProvider (and DisplayTextFor).

这篇关于是否标准Html.DisplayTextFor（）没有HTML编码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！