GetSafeHtmlFragment 仍未按预期工作以停止 c# 中的跨站点脚本
GetSafeHtmlFragment is still not working as expected to stop cross site scripting in c#
我想要的是,我想阻止用户输入无效代码,例如 hi<script>alert('1')</script> 或其他攻击者可以插入的无效字符。
为此,我使用
尝试了以下代码
[HttpPost]
[ValidateInput(false)]
public JsonResult InitiateWFfttx(string FSAID, string CREATEDBY, string MZONECODE, string MZONENAME, double COMLEG, double UGLEG, double ARLEG, double MDULEG, int STATUSID, string HOTOOFFERDATE, string REMARK, double HOTOOFFERLEG, int UMSGROUPIDBY, string UMSGROUPNAMEBY, int UMSGROUPIDTO, string UMSGROUPNAMETO, string SPANTYPE)
{
string strMessage = "";
string Message = "";
string msg = "";
try
{
string strRemarks = "";
strRemarks = Sanitizer.GetSafeHtmlFragment(Convert.ToString(REMARK)); // here it is by passing the invalid character
if (strRemarks != "")
{
CTManagement ObjCTMang = new CTManagement();
ApplicationLog.Trace("Info", "Initated the process", UMSGROUPNAMEBY, CREATEDBY);
Message = ObjCTMang.InitiateWorkflow_Fttx(FSAID, CREATEDBY, MZONECODE, MZONENAME, COMLEG, UGLEG, ARLEG, MDULEG, STATUSID, HOTOOFFERDATE, REMARK, HOTOOFFERLEG, UMSGROUPIDBY, UMSGROUPNAMEBY, UMSGROUPIDTO, UMSGROUPNAMETO, SPANTYPE);
string state = Message.Split('|')[0];
string req_id = Message.Split('|')[1];
if (state == "SUCCESS")
{
//Code commented for optimizing the Job createing response by Jyotir
//SendEmail(CREATEDBY, UMSGROUPIDTO, UMSGROUPNAMETO, UMSGROUPNAMEBY, "NEW", req_id, SPANTYPE, R4GState, MZONECODE, REMARK, SPANTYPE == "INTERCITY" ? SPANID : LINKID);
ApplicationLog.Trace("Info", "Sucessfully generated Request Id: " + req_id, UMSGROUPNAMEBY, CREATEDBY);
}
}
else
{
Message = "ERROR|Invalid text not allowed in Remarks";
}
strMessage = JsonConvert.SerializeObject(Message);
}
catch (Exception ex)
{
if (Message.Length > 0)
{
msg = Message.Split('|')[1];
}
else
{
msg = ex.Message;
}
//ErrorLog.HandleErrorLog(CREATEDBY, SPANID, "InitiateWF", msg);
/*
* Error(string LogType, string functionname, string msg)
*/
ApplicationLog.Error("Error", "InitiateWFfttx", msg);
}
return Json(strMessage);
}
请建议如何对此进行编码。
strRemarks = Sanitizer.GetSafeHtmlFragment(Convert.ToString(REMARK)); 这里它绕过了 html 片段。
这是 Sanitizer 的工作原理
string REMARK = "hi<script>alert('1')</script>";
string strRemarks = Sanitizer.GetSafeHtmlFragment(Convert.ToString(REMARK));
Console.WriteLine("Sanitizer output:" + strRemarks);
这将正确显示 hi 作为输出。为什么?因为消毒剂会完全去除除 html 标签之外的所有内容。
script 标签肯定是个问题,因为大多数 xss 攻击都是从注入某种 javascript 开始的。
要使您的代码正常工作,请将 if 更改为
if (strRemarks.Equals(REMARKS))
我想要的是,我想阻止用户输入无效代码,例如 hi<script>alert('1')</script> 或其他攻击者可以插入的无效字符。
为此,我使用
尝试了以下代码[HttpPost]
[ValidateInput(false)]
public JsonResult InitiateWFfttx(string FSAID, string CREATEDBY, string MZONECODE, string MZONENAME, double COMLEG, double UGLEG, double ARLEG, double MDULEG, int STATUSID, string HOTOOFFERDATE, string REMARK, double HOTOOFFERLEG, int UMSGROUPIDBY, string UMSGROUPNAMEBY, int UMSGROUPIDTO, string UMSGROUPNAMETO, string SPANTYPE)
{
string strMessage = "";
string Message = "";
string msg = "";
try
{
string strRemarks = "";
strRemarks = Sanitizer.GetSafeHtmlFragment(Convert.ToString(REMARK)); // here it is by passing the invalid character
if (strRemarks != "")
{
CTManagement ObjCTMang = new CTManagement();
ApplicationLog.Trace("Info", "Initated the process", UMSGROUPNAMEBY, CREATEDBY);
Message = ObjCTMang.InitiateWorkflow_Fttx(FSAID, CREATEDBY, MZONECODE, MZONENAME, COMLEG, UGLEG, ARLEG, MDULEG, STATUSID, HOTOOFFERDATE, REMARK, HOTOOFFERLEG, UMSGROUPIDBY, UMSGROUPNAMEBY, UMSGROUPIDTO, UMSGROUPNAMETO, SPANTYPE);
string state = Message.Split('|')[0];
string req_id = Message.Split('|')[1];
if (state == "SUCCESS")
{
//Code commented for optimizing the Job createing response by Jyotir
//SendEmail(CREATEDBY, UMSGROUPIDTO, UMSGROUPNAMETO, UMSGROUPNAMEBY, "NEW", req_id, SPANTYPE, R4GState, MZONECODE, REMARK, SPANTYPE == "INTERCITY" ? SPANID : LINKID);
ApplicationLog.Trace("Info", "Sucessfully generated Request Id: " + req_id, UMSGROUPNAMEBY, CREATEDBY);
}
}
else
{
Message = "ERROR|Invalid text not allowed in Remarks";
}
strMessage = JsonConvert.SerializeObject(Message);
}
catch (Exception ex)
{
if (Message.Length > 0)
{
msg = Message.Split('|')[1];
}
else
{
msg = ex.Message;
}
//ErrorLog.HandleErrorLog(CREATEDBY, SPANID, "InitiateWF", msg);
/*
* Error(string LogType, string functionname, string msg)
*/
ApplicationLog.Error("Error", "InitiateWFfttx", msg);
}
return Json(strMessage);
}
请建议如何对此进行编码。
strRemarks = Sanitizer.GetSafeHtmlFragment(Convert.ToString(REMARK)); 这里它绕过了 html 片段。
这是 Sanitizer 的工作原理
string REMARK = "hi<script>alert('1')</script>";
string strRemarks = Sanitizer.GetSafeHtmlFragment(Convert.ToString(REMARK));
Console.WriteLine("Sanitizer output:" + strRemarks);
这将正确显示 hi 作为输出。为什么?因为消毒剂会完全去除除 html 标签之外的所有内容。
script 标签肯定是个问题,因为大多数 xss 攻击都是从注入某种 javascript 开始的。
要使您的代码正常工作,请将 if 更改为
if (strRemarks.Equals(REMARKS))