问题
In asp.net is the PagesSection.ValidateRequest method enough to prevent all XSS attacks or is there something more that needs to be done?
Can anyone point me to a more thorough resource on this topic specifically for asp.net as Google mainly returns MSDN articles and I'd like to verify that we're doing enough.
回答1:
AntiXSS Library
The Microsoft AntiXSS library is a good solution for ASP.Net. It uses a whitelist (versus blacklist) approach and seems to be regularly updated by Microsoft.
Latest download (as of this post): http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28589
AntiXSS supports both text and HTML-style validation. The HTML validation does permit content that might be undesirable (such as images in another domain).
It requires that you run each of your input values through the library which will result in additional (albeit simple) code.
using System;
using Microsoft.Security.Application;
public class AppText
{
public static string GetSafeHtml( string inputText )
{
return Sanitizer.GetSafeHtmlFragment( inputText );
}
public static string GetSafeText( string inputText )
{
return Microsoft.Security.Application.Encoder.HtmlEncode( inputText );
}
}
Benefits
Manually validating each input ensures that you are not assuming security is just "handled" by ASP.Net request validation. It also gives you the flexibility to disable request validation if needed (there are legitimate cases for questionable characters in a request). Because you are validating the input explicitly with the AntiXSS library, you can allow characters/markup in the request.
General XSS Info
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
回答2:
Here is one example: HttpRequestValidationException and cross-site scripting XSS
The request validation simply tries to stop requests containing a very small set of bad letters. And this is not enough to stop XSS, as there are several examples of XSS that falls outside that set of letters. One such example is jumping out of an existing html attribute and into a new one:
<input type="text" value="BAD_DATA">
If the BAD_DATA is " autofocus onfocus="alert(1) this becomes
<input type="text" value="" autofocus onfocus="alert(1)">
which will popup the alert box.
So while request validation will stop simple XSS attacks, it will not stop all. I have also seen the need to switch it off on login forms, as it will reject users having a < in their password.
来源:https://stackoverflow.com/questions/9733427/is-pagessection-validaterequest-enough-to-prevent-xss-in-asp-net