One, prevent cross-site scripting attacks (XSS)
①: @Html. Encode ("<script>alert (' 123 ') </script>")
After encoding: <script>alert (& #39;123& #39;) </script>
②: @Html. Attributeencode ("<script>alert (' 123 ') </script>")
After encoding: <script>alert (& #39;123& #39;) </script>
③: @Html. Javascriptencode ()
③: Using ANTIXSS Library Defense
Ii. Prevention of cross-site request forgery (CSRF)
①: Token validation (for form validation)
Add @html.antiforgerytoken () to the submission form and add [Validateantiforgerytoken] to the controller
②: Httpreferrer authentication (GET, POST)
Create a new class, Inherit Authorizeattribute (Validate at commit):
Using system;using system.collections.generic;using system.linq;using system.web;using System.Web.Mvc;namespace SchoolManageDomw.Models{ public class ispostedthissiteattribute:authorizeattribute { public override void onauthorization (Authorizationcontext filtercontext) { if (filtercontext.httpcontext != null) { if (filtercontext.httpcontext.request.urlreferrer == null) throw new exception ("The information requested by the client is empty"); if ( filtercontext.httpcontext.request.urlreferrer.host != "localhost")//mysite.com throw new exception ("insecure Request"); } } }}
Used in the controller:
[Ispostedthissite] public ActionResult LogOff () {formsauthentication.signout (); Return redirecttoaction ("Index", "Home"); }
This article is from the "program Ape's Home--hunter" blog, please be sure to keep this source http://962410314.blog.51cto.com/7563109/1606025
MVC3----Website Security