开发者

Do we need to use HttpUtility.HtmlEncode for Resources to prevent XSS?

We need to use HttpUtility.HtmlEncode on our website. Do we need to use it for Resources? Is there any potential thre开发者_如何转开发at?

<%=HttpUtility.HtmlEncode(Resources.MyResourceString)%>


If your resources are HTML, then don't reencode them. If they're text, then HtmlEncode them.

If your resources are just plain old text (i.e. could contain raw ampersands or angle brackets), then even if you don't open up an XSS hole, you still need to HtmlEncode them so that you'll generate valid HTML.


If your resources come from a known-safe source (which I suspect they do), then you don't need to do that, no.


Not to prevent cross-site scripting - that is, unless your users have access to the resources for your application and can insert something malicious!

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜