注意:.NET 4.0缺省已经帮我们进行了request validation,因此当我们在form field里输入xss attack code时,就会报错。如下图。不过这个太严苛,即使我只输入 "<h1",也会报错。如果要取消request validation:
step 1: 在web.config file的<system.web>里添加下列代码
<httpRuntime requestValidationMode="2.0" />
step 2:
如果你是希望所有的page都不进行request validation,则在web.config file的<system.web>里添加下列代码:
<pages validateRequest="false"></pages>
如果你只希望某些page不进行request validation,则在这些page的aspx file的 <%@ Page %>里添加属性validateRequest="false"
使用Microsoft Anti-Cross Site Scripting Library,当前版本是4.2 (http://www.microsoft.com/en-us/download/details.aspx?id=28589)
installation instruction:download the msi file and install it. and then in your web app project, add the "AntiXSSLibrary.dll" to reference.
Code example:
using Microsoft.Security.Application;
lblInfo.Text = Encoder.HtmlEncode(message.Text);
注意:我认为调用htmlEncode应该是在要把东东显示在浏览器上时才调用,而不是在获取参数时就使用。例如,当有一个form submit,把参数值直接存到数据库,之后在read 数据库获取该值后,调用htmlEncode来处理该值,然后显示到browser上。(ref question " Q. Can I encode the input and store it in a data store?" at http://msdn.microsoft.com/en-us/security/aa973814.aspx)
参考文章:
http://www.dotblogs.com.tw/wjl0127/archive/2011/08/18/33408.aspx
http://blog.miniasp.com/post/2009/09/26/Recommand-Microsoft-Anti-XSS-Library-V31.aspx
http://blog.miniasp.com/post/2009/07/Recommand-Microsoft-Anti-Cross-Site-Scripting-Library-V30.aspx
practice
http://www.dotblogs.com.tw/dc690216/archive/2009/12/16/12493.aspx
http://www.wretch.cc/blog/energy014255/14288358
anti xxs v4.0 部分汉字乱码问题
http://www.zhaoshu.net/bbs/read10.aspx?TieID=b1745a9c-03a6-4367-93e0-114707aff3e3