I have an MVC app with a Service layer and I'm trying to figure out how to sanitize all inputs without going insane.
我有一个带有服务层的MVC应用程序,我正在试图弄清楚如何消毒所有输入而不会疯狂。
I have validation under control - field-length, data-types, and other validation is being handled both on client and model (EF5).
我在控制下进行验证 - 在客户端和模型(EF5)上处理字段长度,数据类型和其他验证。
What I'm now trying to handle is preventing SQL injection and XSS - I was able to break my application by pasting some markup into one of my inputs.
我现在要处理的是阻止SQL注入和XSS - 我能够通过将一些标记粘贴到我的一个输入中来破坏我的应用程序。
For example:
例如:
<textarea data-bind="value: aboutMe">@Model.AboutMe </textarea>
If I save some script tag in AboutMe:
如果我在AboutMe中保存一些脚本标记:
<script type="text/javascript">alert("hey")</script>
the page breaks due to illegal characters:
由于非法字符导致页面中断:
Uncaught SyntaxError: Unexpected token ILLEGAL
I'm thinking I can just cherry-pick every single input and wrap it in some kind of SanitizeText() function that removes all brackets from anything that's been submitted, but this feel cheap and tedious, and doesn't address SQL injection.
我想我可以挑选每一个输入并将其包装在某种类型的SanitizeText()函数中,该函数从已提交的任何内容中删除所有括号,但这种方法既廉价又乏味,并且不能解决SQL注入问题。
What's the proper way to go about this?
什么是正确的方法来解决这个问题?
1 个解决方案
#1
4
To address issues with XSS etc, you should encode your output properly using e.g. Html encoding - as opposed to your input. You may want to also look at the anti-xss library http://wpl.codeplex.com/releases/view/80289 which includes some excellent classes to help.
要解决XSS等问题,您应该使用例如正确编码输出。 Html编码 - 与您的输入相反。您可能还想查看反xss库http://wpl.codeplex.com/releases/view/80289,其中包含一些优秀的课程可以提供帮助。
To address concerns with SQL injection, you should be using SQL parameters (parameterized queries) http://msdn.microsoft.com/en-us/library/vstudio/bb738521(v=vs.100).aspx alongside appropriate permissions configured in SQL server itself. As you are using EF5 then this will also protect against SQL injection for you, I believe.
要解决SQL注入问题,您应该使用SQL参数(参数化查询)http://msdn.microsoft.com/en-us/library/vstudio/bb738521(v=vs.100).aspx以及在其中配置的适当权限SQL服务器本身。在您使用EF5时,我相信这也可以防止SQL注入。
#1
4
To address issues with XSS etc, you should encode your output properly using e.g. Html encoding - as opposed to your input. You may want to also look at the anti-xss library http://wpl.codeplex.com/releases/view/80289 which includes some excellent classes to help.
要解决XSS等问题,您应该使用例如正确编码输出。 Html编码 - 与您的输入相反。您可能还想查看反xss库http://wpl.codeplex.com/releases/view/80289,其中包含一些优秀的课程可以提供帮助。
To address concerns with SQL injection, you should be using SQL parameters (parameterized queries) http://msdn.microsoft.com/en-us/library/vstudio/bb738521(v=vs.100).aspx alongside appropriate permissions configured in SQL server itself. As you are using EF5 then this will also protect against SQL injection for you, I believe.
要解决SQL注入问题,您应该使用SQL参数(参数化查询)http://msdn.microsoft.com/en-us/library/vstudio/bb738521(v=vs.100).aspx以及在其中配置的适当权限SQL服务器本身。在您使用EF5时,我相信这也可以防止SQL注入。