0

Heyy all!

I'm using asp.net mvc 3 and AntiXssLibrary 4.2 and I try to encode some text with single or duble quotes and the problem is that I get ' " instead of ' or " and in Hebrew they are very useful (like רמב"ם or צ'ק). I know that there are included on the hebrew and default parameter on this method:

UnicodeCharacterEncoder.MarkAsSafe(
        LowerCodeCharts.Default | LowerCodeCharts.Hebrew,
        LowerMidCodeCharts.None,
        MidCodeCharts.None,
        UpperMidCodeCharts.None,
        UpperCodeCharts.None);

I try all the encoding methods with no expected result.

EDIT:

for my second problem that I try to put on my view a html string like this

return new HtmlString(Encoder.HtmlEncode(resFile));

and i get all the html format instead the rendered page, the problem was that microsoft move the GetSafeHtml() method to the HtmlSanitizationLibrary assembly - I find it on this answer and I download it from here. Now I can use it like this

return new HtmlString(Sanitizer.GetSafeHtml(questionsAnswerString));

After that of course I added the reference 

using Microsoft.Security.Application;

Now I'm stuck with those qoutes' any help?

4

2 回答 2

1

好的,如果您进入' "呈现的 html 页面,那么我突然想到您遇到了双重 html 编码的问题。

要复制您的情况,请将Replication:代码复制并粘贴到您的一个视图中,然后自己查看问题。

HtmlString并且MvcHtmlString不应该对已经编码的 html 字符串进行编码。所以在你的情况下

return new HtmlString(Encoder.HtmlEncode(resFile));

或者

Sanitizer.GetSafeHtml(questionsAnswerString)

正在返回一个 Html 编码的字符串,然后在视图中您实际上又对其进行了一次编码。

这可能会发生,因为在您实际呈现内容的视图中,您使用的是剃须刀

@alreadyHtmlEncodedString 
// razor's @ syntax html encodes the given string 
//(irrespective of the fact that the given string is not html encoded 
//or the given string is html encoded already or whatever. 
//it just encodes the given string)

或 aspx

<%:alreadyHtmlEncodedString%> 
// aspx's <%: %> html encodes the given string 
//(irrespective of the fact that the given string is not html encoded 
//or the given string is html encoded already or whatever. 
//it just encodes the given string)

所以,如果是这样的话。对已经 html 编码的字符串使用 Html.Raw。或者只是依赖 razor 的 @ 语法来获取不安全的非 html 编码字符串,无论您选择哪种方式。

  • 复制:

如果有帮助,下面是一些用于复制您的场景的代码。以及样本输出和图像。将以下代码放在您的一个视图中。

@{string quotes = @"'""";
  string quotesHtmlEncoded = Html.Encode(@"'""");
  string hebrew = @"like רמב""ם or צ'ק";
  string hebrewHtmlEncoded = Html.Encode(@"like רמב""ם or צ'ק");
  string sampleXss = "<script>alert('1')</script>";
  string sampleXssHtmlEncoded = Html.Encode("<script>alert('1')</script>");
}

<table border="1">
    <thead>
        <tr>
            <th></th>
            <th>razor @@
            </th>
            <th>Raw
            </th>
            <th>MvcHtmlString.Create
            </th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>quotes
            </td>
            <td>
                @quotes
            </td>
            <td>
                @Html.Raw(quotes)
            </td>
            <td>
                @MvcHtmlString.Create(quotes)
            </td>
        </tr>
        <tr>
            <td>quotesHtmlEncoded
            </td>
            <td>
                @quotesHtmlEncoded
            </td>
            <td>
                @Html.Raw(quotesHtmlEncoded)
            </td>
            <td>
                @MvcHtmlString.Create(quotesHtmlEncoded)
            </td>
        </tr>
        <tr>
            <td>hebrew
            </td>
            <td>
                @hebrew
            </td>
            <td>
                @Html.Raw(hebrew)
            </td>
            <td>
                @MvcHtmlString.Create(hebrew)
            </td>
        </tr>
        <tr>
            <td>hebrewHtmlEncoded
            </td>
            <td>
                @hebrewHtmlEncoded
            </td>
            <td>
                @Html.Raw(hebrewHtmlEncoded)
            </td>
            <td>
                @MvcHtmlString.Create(hebrewHtmlEncoded)
            </td>
        </tr>
        <tr>
            <td>sampleXss
            </td>
            <td>
                @sampleXss
            </td>
            <td>
                @Html.Raw(sampleXss)
            </td>
            <td>
                @MvcHtmlString.Create(sampleXss)
            </td>
        </tr>
        <tr>
            <td>sampleXssHtmlEncoded
            </td>
            <td>
                @sampleXssHtmlEncoded
            </td>
            <td>
                @Html.Raw(sampleXssHtmlEncoded)
            </td>
            <td>
                @MvcHtmlString.Create(sampleXssHtmlEncoded)
            </td>
        </tr>
    </tbody>
</table>

样本输出图像

.doubleEncodedHtml

于 2014-03-20T14:38:33.323 回答
0

我很抱歉麻烦,但不可能将这些字符列入白名单。我们可以MarkAsSafe. 他打电话ApplyHtmlSpecificValues(),我们可以看到

    private static void ApplyHtmlSpecificValues() {
        characterValues['<'] = "lt".ToCharArray();
        characterValues['>'] = "gt".ToCharArray();
        characterValues['&'] = "amp".ToCharArray();
        characterValues['"'] = "quot".ToCharArray();
        characterValues['\''] = "#39".ToCharArray();
    }

无论如何,它们会保留这些字符,因此您在编码后无法获取它们。

因此,我认为适合调用此函数的唯一解决方案总是从一个地方开始,并且在执行后只是将字符改回来:(

return Encoder.HtmlEncode(input).Replace("&quot;", "\"").Replace("&#39;", "'");

10 倍;)

于 2014-03-30T15:37:09.937 回答