1

我有一个旧的 ASP.Net 站点(最近升级到 .NET 4.0),它从未打开过请求验证,它根本没有对任何用户输入进行 Html 编码。

我的解决方案是打开请求验证并在 Global.asax 中捕获 HttpRequestValidationException 并将用户重定向到错误页面。我不会对用户输入进行 Html 编码,因为我必须在数千个地方进行编码。我希望我的方法能够阻止任何 XSS 向量被保存到数据库中。

但是,如果数据库中已经存储了任何 XSS 向量,我认为我还应该对所有输出进行 Html 编码。不幸的是,我的开发和测试资源非常有限,无法成功实现这一目标。我想出了一个我需要经历的变化列表:

  1. 搜索并用 <%: %> 替换所有 <%= %>。
  2. 搜索并用文字替换所有标签并添加 Mode="Encode"。
  3. 用 HtmlEncode 包装所有 eval()。

我的问题是:

  1. 有没有更简单的方法可以打开所有输出以自动进行 Html 编码?
  2. 我错过了上面列表中的任何内容吗?
  3. 我应该注意哪些陷阱?

谢谢。

4

1 回答 1

0

Search and Replace all <%= %> with <%: %>.

Don't forget the <%# and Response.Write which will be harder to replace

Search and Replace all Labels with Literals and add Mode="Encode".

But you will loose all formatting on the previously generated spans, break the DOM and the corresponding js/css

You would also have to search all Literals with Mode="PassThrough" and set them to Encode

Wrap all eval() with HtmlEncode.

Yes, it seems like a subset of the <%# matter above

Also, you could have some custom controls with funky render method

Assuming there is "only" a relational DB as back-end, If I had access to the DB, I would first go on identifying the problematic tables and columns which values contain markup.

I would then :

  • cleanup as best as I can those values in DB.
  • ensure HtmlEncoding of the corresponding outputs in my pages

I could then go for a basic global replace <%= becoming <%: and sanitize outputs on the long run.

于 2012-11-09T15:09:00.863 回答