问题描述
我有一个字面控件用于显示来自DB的HTML。我确实遇到了一些XSS问题,并实施了反XSS安全运行时引擎(SRE)来自动编码所有的html标记。例如
DB:< p align =center>< / p>
Anti-XSS将其编码为:
&#60; p align& #61;&#34; center&#34;&#62;&#160;&#60;&#47; p&#62
pre>
但是,当我从代码背后设置文字内容的文本属性时,我期望文字控件将DECODE正确的HTML并显示渲染的版本。相反,它显示了ENCODED版本。
因此,文字控件显示 -
< p align =center>< / p>
postrender。新新新新旗新新旗新新旗新新旗新新旗新新旗新新旗新新旗新新旗新新旗新新旗新新旗旗新新旗新新旗新旗新新旗新新旗新新旗新新旗新新旗新新旗新新旗旗ASPX - < asp:Literal ID =ltPageContentrunat =server>< / asp:Literal>
页面加载后的代码 - ltPageContent.Text = getPageContent(home)'从DB获取HTML
我在这里缺少一些简单的东西?
解决方案在不考虑XSS风险的情况下,您可能会忘记LiteralControl,并使用内联代码而是:
ASPX:
<%= Server.HtmlDecode (YOUR_STRING)%>
I have a literal control being used to display HTML coming from DB. I did face some XSS issues and implemented Anti-XSS Security Runtime Engine (SRE) to automatically encode all html markup. e.g.
DB :
<p align="center"></p>
Anti-XSS encodes it as :
<p align="center"> </p>
However, when I am setting text property of literal content from code behind, I was expecting that the literal control will DECODE the proper html and display the rendered version. Instead, it is showing the ENCODED version.
Thus literal control displays -
<p align="center"></p>
postrender. I understand it is Anti-xss in action but how can I get the literal control to show the rendered HTML instead of markup?ASPX - <asp:Literal ID="ltPageContent" runat="server"></asp:Literal> Code behind on page load - ltPageContent.Text = getPageContent("home")'Gets HTML from DB
Am I missing something simple here?
解决方案Without considering XSS risks, you may forget LiteralControl here and use inline codes instead:
ASPX:
<%= Server.HtmlDecode(YOUR_STRING) %>
这篇关于asp.net中的HTML编码问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!