开发者

prevent user to enter script tags in asp.net mvc view

i have a login view in asp.net-mvc. i want that user cannot able to enter 开发者_JAVA技巧tag in username or password field


Why would you want preventing the user from entering tags? Leave him enter whatever he wants. Why preventing someone from having a password such as <script>alert('hello');</script> - it looks like a pretty strong password. Personally I hate web sites limiting my choices for a password.

Just make sure that you encode everything you are outputting inside the views:

So instead of:

<div>Hello <%= Model.Username %></div>

Always use:

<div>Hello <%= Html.Encode(Model.Username) %></div>

or:

<div>Hello <%: Model.Username %></div>

if you are working with ASP.NET 4.0

Also, as pointed out by @Jab in the comments section, in order to accept such input from the user you might need to decorate the controller action that will handle the submission with the [ValidateInput(false)] attribute.


Is there some reason regular sanitisation approaches As described here will not work with MVC?

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜