问题描述
使用的Htt prequestValidationException,它一定保护你对所有跨脚本编写的威胁?
By using HttpRequestValidationException, does it necessarily protect you against all cross-scripting threats?
有没有哪里有潜在危险的脚本可能设法不被发现的情况?
Are there situations where a potentially dangerous script might manage to go undetected?
推荐答案
没有,总之它没有。使用反射请编译它,看看它做什么。在HTML属性的攻击可能是:聚焦状态=警报(1)自动对焦
有没有<或>在这个但它仍然有效。请使用AntiXss并检查OWASP XSS prevention小抄。所以,你需要特别注意,只要你使用的是像文字转义属性。
No, in short it doesn't. Please decompile it using reflector and see what it does. An attack on an html attribute could be: " onfocus=alert(1) autofocusThere are no < or > in this yet it still works. Please use AntiXss and check the OWASP XSS prevention cheat sheet. So you need to pay attention especially whenever you are using unescaped attributes like Literal.
这篇关于HTT prequestValidationException和跨站点脚本XSS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!