MVC3----Website Security

One, prevent cross-site scripting attacks (XSS)

①: @Html. Encode ("<script>alert (' 123 ') </script>")
After encoding: &lt;script&gt;alert (& #39;123& #39;) &lt;/script&gt;

②: @Html. Attributeencode ("<script>alert (' 123 ') </script>")
After encoding: &lt;script>alert (& #39;123& #39;) &lt;/script>

③: @Html. Javascriptencode ()

③: Using ANTIXSS Library Defense

Ii. Prevention of cross-site request forgery (CSRF)

①: Token validation (for form validation)
Add @html.antiforgerytoken () to the submission form and add [Validateantiforgerytoken] to the controller

②: Httpreferrer authentication (GET, POST)

Create a new class, Inherit Authorizeattribute (Validate at commit):

Using system;using system.collections.generic;using system.linq;using system.web;using  System.Web.Mvc;namespace SchoolManageDomw.Models{    public class  ispostedthissiteattribute:authorizeattribute    {         public override void onauthorization (Authorizationcontext filtercontext)          {             if  (filtercontext.httpcontext != null)              {                 if  (filtercontext.httpcontext.request.urlreferrer == null)                      throw new  exception ("The information requested by the client is empty");                if  ( filtercontext.httpcontext.request.urlreferrer.host !=  "localhost")//mysite.com                     throw  new exception ("insecure Request");             }         }    }}

Used in the controller:

[Ispostedthissite] public ActionResult LogOff () {formsauthentication.signout ();        Return redirecttoaction ("Index", "Home"); }

This article is from the "program Ape's Home--hunter" blog, please be sure to keep this source http://962410314.blog.51cto.com/7563109/1606025

MVC3----Website Security