我是否需要清理传递给我的控制器的所有字符串值或只是像编辑器这样的富 html?
那么 input , type 文本字段呢?
<input type="text" name"test1" value="<script></script>" />
public ActionResult TestAction(string test1){ //save in db }
问问题
86 次
1 回答
1
Always sanitize data being sent to the server. You don't want anyone to arbitrarily send data to your server of any type. Some HTML tags, such as <script> elements, can be harmful. You don't want the user storing JavaScript code in your content pages as it could be malicious for other users.
于 2013-03-19T20:44:21.593 回答