prevent user to enter script tags in asp.net mvc view_问答_开发者

prevent user to enter script tags in asp.net mvc view

开发者 https://www.devze.com 2023-01-01 13:59 出处：网络

i have a login view in asp.net-mvc. i want that user cannot able to enter开发者_JAVA技巧tag in username or password fieldWhy would you want preventing the user from entering tags? Leave him enter what

相关专题：asp.net-mvc

i have a login view in asp.net-mvc. i want that user cannot able to enter 开发者_JAVA技巧tag in username or password field

Why would you want preventing the user from entering tags? Leave him enter whatever he wants. Why preventing someone from having a password such as <script>alert('hello');</script> - it looks like a pretty strong password. Personally I hate web sites limiting my choices for a password.

Just make sure that you encode everything you are outputting inside the views:

So instead of:

<div>Hello <%= Model.Username %></div>

Always use:

<div>Hello <%= Html.Encode(Model.Username) %></div>

or:

<div>Hello <%: Model.Username %></div>

if you are working with ASP.NET 4.0

Also, as pointed out by @Jab in the comments section, in order to accept such input from the user you might need to decorate the controller action that will handle the submission with the [ValidateInput(false)] attribute.

Is there some reason regular sanitisation approaches As described here will not work with MVC?