0

I have a C# code which handles Unicode characters. The below code also encodes XSS code.

String s = "<<SCRIPT>alert("Hack");//<</SCRIPT>";
var resultText = Microsoft.Security.Application.AntiXss.HtmlEncode(s);
string encodedValue = HttpUtility.UrlEncode(resultText, Encoding.UTF8).Replace("+", "")

txtResult.Text = encodedValue;// display in the text box in UI

But the above displays data in a different way.I want to display the text 

<<SCRIPT>alert("Hack");//<</SCRIPT>

in the textbox( txtResult)

Can any one help me in achieving this. Basically i am trying to handle XSS and Unicode characters.

4

1 回答 1

0 
void Main()
{
    string _js = @"<<SCRIPT>alert(""Hack+"");//<</SCRIPT>";

    // Break it down into bytes
    byte[] _bytes = UTF8Encoding.UTF8.GetBytes(_js);    

    // Use the single unicode character literal representation of the characters wanting to strip
    //      '+' = +, etc...
    byte[] _sanatizedBytes = _bytes.Where(b => b != '+').ToArray();

    // Dump the bytes back into a UTF8 string
    string sanitizedJavascript = UTF8Encoding.UTF8.GetString(_sanatizedBytes);

    string _safeJavascript = Microsoft.Security.Application.Encoder.HtmlEncode(sanitizedJavascript);

    string decode = HttpUtility.HtmlDecode(_safeJavascript);

    var txtdecoded = new TextBox() { Text = decode};    

}

这可能是最多余的方法,因为您正在分解它,运行自己的敏感化然后将其重新插入。

就我个人而言,我会使用Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(_js);它去除所有列入黑名单的标签,例如脚本,以及它之间的任何内容,无论 UTF8、ANSI 等如何。

我有点困惑,至于你真正需要什么......所以如果你觉得有必要投反对票,那么让我们在做出决定之前在评论中讨论细节。

于 2013-10-29T11:08:35.460 回答