问题
I've been searching for this for a while, and couldn't find anything, apologies if there is something and I've missed it.
Is there anything in the Web-API 2 framework that will automatically reject HTML tags on string model properties (except for a select few)?
I know I could create a custom validation attribute, and whack it on every property, but that's a lot of over head to maintain and remember to do on all new models.
public class Person {
public string Name{ get; set; }
// ... snipped
}
I can make a post request to my POST endpoint with JSON similar to:
{
"name": "<h1>This is my name</h1>"
}
In the action the person.Name will be equal to "<h1>This is my name</h1>", with no validation errors raised
回答1:
I was looking for the same thing as you. Coming from a MVC standpoint where we have parameters to disallow html in input fields in forms, this seems reasonable.
I found this library tho, that sort of, in a way might help out... It does not fully answer your question in the way you want it, but it helps out with the custom attributes you would otherwise have to generate by yourself, if you decided to go for an attribute path...
Nuget package: https://www.nuget.org/packages/ASPNetWebAPIAntiXss/
Examples and the product page: https://bitbucket.org/embarr-development/asp.net-web-api-antixss-attribute
来源:https://stackoverflow.com/questions/30076978/deny-html-in-webapi-model-properties