Prevent Cross-Site Scripting (XSS) in ASP.NET Core
Prevent Cross-Site Scripting (XSS) in ASP.NET Core
Accessing encoders in code
The HTML, JavaScript and URL encoders are available to your code in two ways, you can inject them via dependency injection or you can use the default encoders contained in the System.Text.Encodings.Web namespace. If you use the default encoders then any you applied to character ranges to be treated as safe won't take effect - the default encoders use the safest encoding rules possible.
To use the configurable encoders via DI your constructors should take an HtmlEncoder, JavaScriptEncoder and UrlEncoder parameter as appropriate. For example;
public class HomeController : Controller
{
HtmlEncoder _htmlEncoder;
JavaScriptEncoder _javaScriptEncoder;
UrlEncoder _urlEncoder;
public HomeController(HtmlEncoder htmlEncoder,
JavaScriptEncoder javascriptEncoder,
UrlEncoder urlEncoder)
{
_htmlEncoder = htmlEncoder;
_javaScriptEncoder = javascriptEncoder;
_urlEncoder = urlEncoder;
}
}
Encoding URL Parameters
If you want to build a URL query string with untrusted input as a value use the UrlEncoder to encode the value. For example,
var example = "\"Quoted Value with spaces and &\"";
var encodedValue = _urlEncoder.Encode(example);
After encoding the encodedValue variable will contain %22Quoted%20Value%20with%20spaces%20and%20%26%22. Spaces, quotes, punctuation标点符号 and other unsafe characters will be percent encoded to their hexadecimal十六进制 value, for example a space character will become %20.
Warning
Don't use untrusted input as part of a URL path. Always pass untrusted input as a query string value.
[Test] public void XssTest() { string input = "\"Quoted Value with spaces and &\""; WriteConsole($"BeforeEncode:{Environment.NewLine}{input}"); var output = UrlEncoder.Default.Encode(input); WriteConsole($"UrlEncoder.Encode:{Environment.NewLine}{output}"); output = JavaScriptEncoder.Default.Encode(input); WriteConsole($"JavaScriptEncoder.Encode:{Environment.NewLine}{output}"); output = HtmlEncoder.Default.Encode(input); WriteConsole($"HtmlEncoder.Encode:{Environment.NewLine}{output}"); output = HttpUtility.HtmlEncode(input); WriteConsole($"HttpUtility.HtmlEncode:{Environment.NewLine}{output}"); output = AntiXssEncoder.HtmlEncode(input,false); WriteConsole($"AntiXssEncoder.HtmlEncode:{Environment.NewLine}{output}"); } private void WriteConsole(string str) { Console.WriteLine(str); Console.WriteLine(); }
BeforeEncode:
"Quoted Value with spaces and &"UrlEncoder.Encode:
%22Quoted%20Value%20with%20spaces%20and%20%26%22JavaScriptEncoder.Encode:
\u0022Quoted Value with spaces and \u0026\u0022HtmlEncoder.Encode:
"Quoted Value with spaces and &"HttpUtility.HtmlEncode:
"Quoted Value with spaces and &"AntiXssEncoder.HtmlEncode:
"Quoted Value with spaces and &"
作者:Chuck Lu GitHub |
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· 没有源码,如何修改代码逻辑?
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· DeepSeek 开源周回顾「GitHub 热点速览」
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
2019-04-22 257. Binary Tree Paths
2019-04-22 EXEC sp_executesql with multiple parameters
2016-04-22 C# Socket 您的主机中的软件中止了一个已建立的连接 An established connection was aborted by the software in your host machine
2016-04-22 使用tortoisegit修改日志
2015-04-22 DataGridView中的单元格提示错误信息