开发者

Safe Razor Template Engine

开发者 https://www.devze.com 2023-01-26 09:52 出处:网络
I\'m an asp.net mvc 3 newbie, I\'m developing a site that allow user customize their layout and use razor template engine. Thay could direct edit the template file.开发者_Go百科

I'm an asp.net mvc 3 newbie, I'm developing a site that allow user customize their layout and use razor template engine. Thay could direct edit the template file.

开发者_Go百科

How to retrict user from only allow uses some explicit helper in a template. I dont want user access other dangerous server functions, and only use what I added.

Thanks


There are two cases:

  1. You trust your users: in this case you shouldn't be worried as they won't break your site
  2. You don't trust your users (most probable): in this case giving them the possibility to directly modify the templates seems a risky affair. You will need a pretty solid sanitizing tool that will filter all other helpers that you don't want. It's just too broad. Giving them the possibility to write markup would be OK with for example some WYSIWYG editor like WMD but giving them access to server code is asking for trouble.
0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号