问题
I have the below code in the controller. The parameters base64String, fileName are being sent from the browser.
var fileContent = Convert.FromBase64String(base64String);
return File(fileContent, contentType, fileName);
How do I address the XSS threat here?
The above code is based on a fix recommended here Kendo UI Grid Export to Excel / PDF not working on IE9
回答1:
I'm assuming you are not returning HTML to your users (you are returning PDFs or Excel files, or something else for download by the browser instead of for render).
The general guidelines are as follows:
Set the correct
Content-Typeheader.Set the following response header:
X-Content-Type-Options: nosniff. Browsers such as Internet Explorer will try and auto detect the content type and ignore the one you've just set.Set the
Content-Dispositionheader so the browser downloads the file rather than displaying it:Content-Disposition: attachment; filename="bar.pdf"
Following the above should ensure that any script code contained in the file is not executed by your browser. Be aware that IE (again!) can sometimes process script in XML files, so you should test for this.
来源:https://stackoverflow.com/questions/28753381/fortify-cross-site-scripting-in-file