gpt4 book ai didi

C# - 易受 XSS 攻击的文字控件

转载 作者:行者123 更新时间:2023-11-30 21:18:48 25 4
gpt4 key购买 nike

我正在使用文字在产品页面控件上显示一些 javascript。基本上我正在做的是在我的代码中声明一个新的 stringbuilder,在编写脚本的同时插入一些动态变量来填充脚本,然后将文字文本设置为 stringbuilder。这让我容易受到 xss 攻击。我能做些什么来防止这种情况发生?

编辑。这是 stringbuilder 的示例。当页面加载时,xss 漏洞会在生成 javascript 后立即发生。

System.Text.StringBuilder sb = new System.Text.StringBuilder();
//loop through items in the collection
for (int i = 0; i < _prod.ActiveProductItemCollection.Count; i++)
{
sb.Append("<script type='text/javascript'>");
//add +1 to each item
sb.AppendFormat("mboxCreate(\"product_productpage_rec{0}\",", i+1);
sb.Append("\"entity.id=" + _prodID + "\",");
sb.Append("\"entity.categoryId=" + _categoryID + "\",");
sb.Append("\"entity.name=" + _prod.ActiveProductItemCollection[i].Title + "\",");
sb.Append("\"entity.pageURL=" + Request.Url.ToString() + "\",");
//The following value has been taken from the productImageControl code behind.
//Might have to refactor in future as a property of the image control.
string filename = AppSettingsManager.Current.ProductImagePathLarge + _prod.ActiveProductItemCollection[i].Sku
+ AppSettingsManager.Current.ProductImageExtension;
sb.Append("\"entity.thumbnailURL=" + filename + "\",");
sb.Append("\"entity.inventory=" + _prod.ActiveProductItemCollection.Count + "\",");
sb.Append("\"entity.value=" + _prod.ActiveProductItemCollection[i].ActualPrice + "\",");
sb.Append("\"entity.ProductItemID=" + _prod.ActiveProductItemCollection[i].Sku + "\",");
sb.Append("\"entity.addToCartImg=~/Images/Buttons/btn_AddToCartFlat.gif\");<");
//The last line has to be /script. < inserted on prev line. do not change it or bad things will happen.
sb.Append("/script>");
}
this.LiteralMBoxScript.Text = sb.ToString();

最佳答案

您需要对要放入 Javascript 中的任何用户生成的数据进行正确编码。

在 ASP.Net 4.0 中,您可以调用 HttpUtility.JavaScriptStringEncode .
在早期版本中,您可以使用 Web Protection Library .

关于C# - 易受 XSS 攻击的文字控件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/4070453/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com