处理 XSS 的方法(最佳实践)是什么?
问题描述:
我正在使用 ASP.NET,并且在 ASP.NET 页面上具有用于检查 XSS 验证的验证属性.但是我想知道这真的足够吗?
I am using ASP.NET and on ASP.NET page has validate attribute which checks for the XSS validations. However i would like to know that is it really sufficient ?
我访问了一些关于 * 的相关帖子,这对我有帮助,但我想了解在开发网站时如何规划 XSS?
I have visited some of the related post on * and that helped me but i am looking to understand how to plan for XSS when developing web sites ?
我们是否必须在客户端检查 XSS,也必须检查 AJAX?怎么做 ?有没有什么工具可以帮助测试XSS?
Do we have to check XSS on client side, AJAX also ? How to do that ? Are there any tools which can help testing the XSS ?
谢谢,
答
这些是基础:
- 不允许 HTML 输入
- 显示时总是对输入进行 html 编码
- 使用来自 Microsoft 的 AntiXSSLibrary 或类似的库
- Do not allow HTML input
- Always html encode input when displaying it
- Use the AntiXSSLibrary from Microsoft, or a similar library