ASP. net mvc does not support request Validation
For an ASP. net mvc application, the above situation is more class-cutting. Because in a traditional ASP. NETWeb form application, unlike an ASP. net mvc application, you can rely on a system feature called request verification. Request verification automatically checks whether form data comes from a page that contains dangerous search text. If you submit such form data that contains dangerous data, such as parentheses (OR), the system automatically throws an exception.
However, please note that the ASP. net mvc Framework does not currently provide such request verification technology. Therefore, you must take full responsibility for this to prevent Java Script Injection attacks against an ASP. net mvc application.
Block Java Script Injection attacks
Blocking Java Script Injection attacks is actually very simple. Therefore, whenever you use a view to display and retrieve the text of a user, make sure that Html. Encode () is called ().
For example, the following is a part of the Index view used to display the customer feedback information:
- <H1>Customer Feedback</H1>
- <Ul>
- <% Foreach (SurveysurveyinViewData. Model)
- {%>
- <Li>
- <% = Survey. EntryDate. to1_datestring () %>
- & Mdash;
- <% = Survey. Feedback %>
- </Li>
- <%} %>
- </Ul>
This Code contains a foreach loop that cyclically searches Survey entities. The values of the Feedback and EntryDate attributes of each Survey object are displayed.
To prevent Java Script Injection attacks, you need to use the Html. Encode () method. The following shows the correct method for writing this loop:
- <h1>CustomerFeedback</h1>
- <ul>
- <%foreach(SurveysurveyinViewData.Model)
- {%>
- <li>
- <%=survey.EntryDate.ToShortDateString()%>
- —
- <%=Html.Encode(survey.Feedback)%>
- </li>
- <%}%>
- </ul>
What content should be encoded
Note that I have not encoded the EntryDate attribute in the previous section. There are two reasons: When the EntryDate attribute is displayed on a page, we do not need to encode this attribute.
First, a visitor does not enter the value of the EntryDate attribute. The value of this EntryDate attribute is created through your code. In this case, a hacker cannot input malicious code.
Assume that a visitor does enter the value of the EntryDate attribute. Because this EntryDate is stored in the SQL Server database as a DateTime type, a hacker cannot add malicious code to this EntryDate attribute. Therefore, you do not need to worry about encoding this attribute when displaying it.
Generally, when a user enters the content to be submitted through the text box on the form, you should be truly worried about Java Script injection attacks. For example, you should worry about the display of user names. If you allow a user to create their own user names, A user may potentially add a malicious Java Script string to their username or add an Image Tag pointing to a pornographic image ).
In addition, you should also worry about hyperlink issues. Because most blog Applications Support anonymous users to submit a hyperlink to their website-when they submit comments to a blog. In this case, a hacker may add malicious Java scripts to the link. The following is a simple example:
- <a href="javascript:alert('Something Evil!')">Mr. Hacker</a>
When you click this link, JavaScript code is executed. Of course, nothing malicious will happen in this example. However, you can execute code from the page that can indeed steal form data or cookies. The above section introduces ASP. NET to prevent Java Script injection attacks.
- Introduction to ASP. net mvc Framework
- Introduction to MvcAjaxPanel in ASP. NET MVC
- ASP. net mvc Framework to save UpdatePanel
- Use ASP. net mvc source code to find a solution
- ActionInvoker of ASP. net mvc Framework