prevent user to enter script tags in asp.net mvc view
i have a login view in asp.net-mvc. i want that user cannot able to enter 开发者_JAVA技巧tag in username or password field
Why would you want preventing the user from entering tags? Leave him enter whatever he wants. Why preventing someone from having a password such as <script>alert('hello');</script>
- it looks like a pretty strong password. Personally I hate web sites limiting my choices for a password.
Just make sure that you encode everything you are outputting inside the views:
So instead of:
<div>Hello <%= Model.Username %></div>
Always use:
<div>Hello <%= Html.Encode(Model.Username) %></div>
or:
<div>Hello <%: Model.Username %></div>
if you are working with ASP.NET 4.0
Also, as pointed out by @Jab in the comments section, in order to accept such input from the user you might need to decorate the controller action that will handle the submission with the [ValidateInput(false)]
attribute.
Is there some reason regular sanitisation approaches As described here will not work with MVC?
精彩评论