What do you use to validate an email address on a ASP.NET form. I want to make sure that it contains no XSS exploits.
你用什么来验证ASP中的电子邮件地址?净的形式。我要确保它不包含XSS攻击。
This is ASP.NET 1.1
这是ASP。NET 1.1
7 个解决方案
#1
112
Any script tags posted on an ASP.NET web form will cause your site to throw and unhandled exception.
任何贴在ASP上的脚本标签。NET web表单将导致您的站点抛出和未处理的异常。
You can use a asp regex validator to confirm input, just ensure you wrap your code behind method with a if(IsValid) clause in case your javascript is bypassed. If your client javascript is bypassed and script tags are posted to your asp.net form, asp.net will throw a unhandled exception.
您可以使用一个asp regex验证器来确认输入,只要确保在方法后面使用if(IsValid)子句包装代码,以防javascript被绕过。如果你的客户端javascript被绕过,脚本标签被发布到你的asp.net表单中,asp.net会抛出一个未处理的异常。
You can use something like:
您可以使用以下内容:
<asp:RegularExpressionValidator ID="regexEmailValid" runat="server" ValidationExpression="\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" ControlToValidate="tbEmail" ErrorMessage="Invalid Email Format"></asp:RegularExpressionValidator>
#2
18
Here is a basic email validator I just created based on Simon Johnson's idea. It just needs the extra functionality of DNS lookup being added if it is required.
这是我根据西蒙·约翰逊的想法创建的一个基本的电子邮件验证器。如果需要,它只需要添加DNS查找的额外功能。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web.UI.WebControls;
using System.Text.RegularExpressions;
using System.Web.UI;
namespace CompanyName.Library.Web.Controls
{
[ToolboxData("<{0}:EmailValidator runat=server></{0}:EmailValidator>")]
public class EmailValidator : BaseValidator
{
protected override bool EvaluateIsValid()
{
string val = this.GetControlValidationValue(this.ControlToValidate);
string pattern = @"^[a-z][a-z|0-9|]*([_][a-z|0-9]+)*([.][a-z|0-9]+([_][a-z|0-9]+)*)?@[a-z][a-z|0-9|]*\.([a-z][a-z|0-9]*(\.[a-z][a-z|0-9]*)?)$";
Match match = Regex.Match(val.Trim(), pattern, RegexOptions.IgnoreCase);
if (match.Success)
return true;
else
return false;
}
}
}
#3
7
You can use a RegularExpression validator. The ValidationExpression property has a button you can press in Visual Studio's property's panel that gets lists a lot of useful expressions. The one they use for email addresses is:
您可以使用正则表达式验证器。ValidationExpression属性有一个按钮,您可以在Visual Studio的属性面板中单击该按钮,它将列出许多有用的表达式。他们使用的电子邮件地址是:
\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*
#4
5
Validating that it is a real email address is much harder.
确认它是一个真实的电子邮件地址要难得多。
The regex to confirm the syntax is correct can be very long (see http://www.regular-expressions.info/email.html for example). The best way to confirm an email address is to email the user, and get the user to reply by clicking on a link to validate that they have recieved the email (the way most sign-up systems work).
确认语法正确的regex可能很长(例如,请参见http://www.regular-expressions.info/email.html)。确认电子邮件地址的最佳方式是给用户发电子邮件,并通过点击链接让用户回复,以确认他们已经收到了电子邮件(大多数注册系统的工作方式)。
#5
5
In our code we have a specific validator inherited from the BaseValidator class.
在我们的代码中,我们有一个从BaseValidator类继承的特定验证器。
This class does the following:
本课程的内容如下:
- Validates the e-mail address against a regular expression.
- 根据正则表达式验证电子邮件地址。
- Does a lookup on the MX record for the domain to make sure there is at least a server to deliver to.
- 对域的MX记录进行查找,以确保至少有一个服务器要交付给它。
This is the closest you can get to validation without actually sending the person an e-mail confirmation link.
这是在不向用户发送电子邮件确认链接的情况下最接近验证的方法。
#6
4
Preventing XSS is a different issue from validating input.
防止XSS与验证输入是不同的问题。
Regarding XSS: You should not try to check input for XSS or related exploits. You should prevent XSS exploits, SQL injection and so on by escaping correctly when inserting strings into a different language where some characters are "magic", eg, when inserting strings in HTML or SQL. For example a name like O'Reilly is perfectly valid input, but could cause a crash or worse if inserted unescaped into SQL. You cannot prevent that kind of problems by validating input.
关于XSS:您不应该尝试检查XSS或相关漏洞的输入。您应该防止XSS攻击、SQL注入等,在将字符串插入到另一种语言中(比如在HTML或SQL中插入字符串时)时正确地转义。例如,像O'Reilly这样的名称是完全有效的输入,但如果插入到SQL中,可能会导致崩溃或更糟。您不能通过验证输入来防止此类问题。
Validation of user input makes sense to prevent missing or malformed data, eg. a user writing "asdf" in the zip-code field and so on. Wrt. e-mail adresses, the syntax is so complex though, that it doesnt provide much benefit to validate it using a regex. Just check that it contains a "@".
用户输入的验证对于防止丢失或畸形数据是有意义的。用户在zip-code字段中编写“asdf”等等。关于。e-mail adresses,语法非常复杂,使用regex进行验证没有什么好处。只需要检查它是否包含一个“@”。
#7
2
You should always do server side validaton as well.
您还应该始终执行服务器端验证器。
public bool IsValidEmailAddress(string email)
{
try
{
var emailChecked = new System.Net.Mail.MailAddress(email);
return true;
}
catch
{
return false;
}
}
#1
112
Any script tags posted on an ASP.NET web form will cause your site to throw and unhandled exception.
任何贴在ASP上的脚本标签。NET web表单将导致您的站点抛出和未处理的异常。
You can use a asp regex validator to confirm input, just ensure you wrap your code behind method with a if(IsValid) clause in case your javascript is bypassed. If your client javascript is bypassed and script tags are posted to your asp.net form, asp.net will throw a unhandled exception.
您可以使用一个asp regex验证器来确认输入,只要确保在方法后面使用if(IsValid)子句包装代码,以防javascript被绕过。如果你的客户端javascript被绕过,脚本标签被发布到你的asp.net表单中,asp.net会抛出一个未处理的异常。
You can use something like:
您可以使用以下内容:
<asp:RegularExpressionValidator ID="regexEmailValid" runat="server" ValidationExpression="\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" ControlToValidate="tbEmail" ErrorMessage="Invalid Email Format"></asp:RegularExpressionValidator>
#2
18
Here is a basic email validator I just created based on Simon Johnson's idea. It just needs the extra functionality of DNS lookup being added if it is required.
这是我根据西蒙·约翰逊的想法创建的一个基本的电子邮件验证器。如果需要,它只需要添加DNS查找的额外功能。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web.UI.WebControls;
using System.Text.RegularExpressions;
using System.Web.UI;
namespace CompanyName.Library.Web.Controls
{
[ToolboxData("<{0}:EmailValidator runat=server></{0}:EmailValidator>")]
public class EmailValidator : BaseValidator
{
protected override bool EvaluateIsValid()
{
string val = this.GetControlValidationValue(this.ControlToValidate);
string pattern = @"^[a-z][a-z|0-9|]*([_][a-z|0-9]+)*([.][a-z|0-9]+([_][a-z|0-9]+)*)?@[a-z][a-z|0-9|]*\.([a-z][a-z|0-9]*(\.[a-z][a-z|0-9]*)?)$";
Match match = Regex.Match(val.Trim(), pattern, RegexOptions.IgnoreCase);
if (match.Success)
return true;
else
return false;
}
}
}
#3
7
You can use a RegularExpression validator. The ValidationExpression property has a button you can press in Visual Studio's property's panel that gets lists a lot of useful expressions. The one they use for email addresses is:
您可以使用正则表达式验证器。ValidationExpression属性有一个按钮,您可以在Visual Studio的属性面板中单击该按钮,它将列出许多有用的表达式。他们使用的电子邮件地址是:
\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*
#4
5
Validating that it is a real email address is much harder.
确认它是一个真实的电子邮件地址要难得多。
The regex to confirm the syntax is correct can be very long (see http://www.regular-expressions.info/email.html for example). The best way to confirm an email address is to email the user, and get the user to reply by clicking on a link to validate that they have recieved the email (the way most sign-up systems work).
确认语法正确的regex可能很长(例如,请参见http://www.regular-expressions.info/email.html)。确认电子邮件地址的最佳方式是给用户发电子邮件,并通过点击链接让用户回复,以确认他们已经收到了电子邮件(大多数注册系统的工作方式)。
#5
5
In our code we have a specific validator inherited from the BaseValidator class.
在我们的代码中,我们有一个从BaseValidator类继承的特定验证器。
This class does the following:
本课程的内容如下:
- Validates the e-mail address against a regular expression.
- 根据正则表达式验证电子邮件地址。
- Does a lookup on the MX record for the domain to make sure there is at least a server to deliver to.
- 对域的MX记录进行查找,以确保至少有一个服务器要交付给它。
This is the closest you can get to validation without actually sending the person an e-mail confirmation link.
这是在不向用户发送电子邮件确认链接的情况下最接近验证的方法。
#6
4
Preventing XSS is a different issue from validating input.
防止XSS与验证输入是不同的问题。
Regarding XSS: You should not try to check input for XSS or related exploits. You should prevent XSS exploits, SQL injection and so on by escaping correctly when inserting strings into a different language where some characters are "magic", eg, when inserting strings in HTML or SQL. For example a name like O'Reilly is perfectly valid input, but could cause a crash or worse if inserted unescaped into SQL. You cannot prevent that kind of problems by validating input.
关于XSS:您不应该尝试检查XSS或相关漏洞的输入。您应该防止XSS攻击、SQL注入等,在将字符串插入到另一种语言中(比如在HTML或SQL中插入字符串时)时正确地转义。例如,像O'Reilly这样的名称是完全有效的输入,但如果插入到SQL中,可能会导致崩溃或更糟。您不能通过验证输入来防止此类问题。
Validation of user input makes sense to prevent missing or malformed data, eg. a user writing "asdf" in the zip-code field and so on. Wrt. e-mail adresses, the syntax is so complex though, that it doesnt provide much benefit to validate it using a regex. Just check that it contains a "@".
用户输入的验证对于防止丢失或畸形数据是有意义的。用户在zip-code字段中编写“asdf”等等。关于。e-mail adresses,语法非常复杂,使用regex进行验证没有什么好处。只需要检查它是否包含一个“@”。
#7
2
You should always do server side validaton as well.
您还应该始终执行服务器端验证器。
public bool IsValidEmailAddress(string email)
{
try
{
var emailChecked = new System.Net.Mail.MailAddress(email);
return true;
}
catch
{
return false;
}
}