If the Microsoft Web Protection Library can have custom white-lists http://wpl.codeplex.com/
I am also wondering do you need to do anything special to get it to work with a开发者_如何转开发sp.net mvc?
I am going through it's methods and I see
AntiXss..::.GetSafeHtml
AntiXss..::.GetSafeHtmlFragment Method
AntiXss..::.HtmlEncode Method
AntiXss..::.JavaScriptEncode Method
AntiXss..::.UrlEncode Method
Is there something that does all these in one command or do I have to determine line by line which one to use?
Do I have to determine line by line which one to use
Yes, you have to decide which one to use. But that is not an issue with the library. Each kind of output needs its own enocding.
If you have
<script language="JavaScript" >
alert('<%= Model.PropertyName %>')
</script>
You need to Javascript Encode (The easiest attack would use ' which is not handled by HtmlEnocde)
But if you have
<a href="ur"><%= Model.PropertyName %></a>
You need to Html.Encode
I think GetSafeHtmlFragment is for usage as an Html-Attribute, but I am not so shure here.
I am also wondering do you need to do anything special to get it to work with asp.net mvc?
Just add the namespace to your view and us AntiXss.HtmlEncode("").
I have seen a a post where it was shown how you can configure ASP.NET MVC to use the AntiXss library for the handling of <%: %> but I think it doesn't help that much, because the helpers stille use the a hardcoded encoder.
精彩评论