Recently doing an asp of the old system in hand XSS vulnerability,
The corresponding solution is tentative, special characters on the server side escape in return to the client browser, such as: & lt; Escape for & amp; lt; , but encountered a problem, the great god, please grant instruction,
Design is ready to add two methods on the server side,
Method a client from the parameter contains the special characters of escape back to the client,
Method 2, the client back to the server ready to save the DB data contained in the escape character back as it is, in the half Angle Angle harmless all inventory, and

Found in practical application, the method to achieve the desired effect, but the method 2 as if it is not necessary, as if the client back to the server parameter containing the escape character, on the server side when analytical values will be looked like before escaping,

Want to find some theoretical basis but couldn't find all the time, please everyone a great god, and contains the escape character parameter value after post back to the server, escape character change back is the function of the browser or server? The mainstream browsers are like this?

CodePudding user response:

No matter which side completes the conversion can
The Function HtmlDecode (ByVal s)
If from the (s) Then
S=regReplace (s, "& lt; Br \ s */? \ s * & gt;" , vbCrLf)
S=Replace (s, "& amp; nbsp; & nbsp; & Have spent" The CRH (9))
S=Replace (s, "& amp; Quot;" , CRH (34))
S=Replace (s, "& amp; Have spent" The CRH (32))
S=Replace (s, "& amp; # 39;" , CRH (39))
S=Replace (s, "& amp; Apos;" , CRH (39))
S=Replace (s, "& amp; Gt;" , & gt; "" )
S=Replace (s, "& amp; Lt;" , & lt; "" )
S=Replace (s, "& amp; Amp;" The CRH (38))
S=Replace (s, "& amp; # 38;" The CRH (38))
S=Replace (s, "& amp; Times." , "x")
S=Replace (s, "& amp; Divide;" , "the present")
S=Replace (s, "& amp; Frac14;" , "?" )
S=Replace (s, "& amp; Frac12;" , "?" )
S=Replace (s, "& amp; Frac34;" , "?" )
S=Replace (s, "& amp; Plusmn;" , "+")
S=Replace (s, "& amp; Laquo;" , "?" )
S=Replace (s, "& amp; Raquo;" , "?" )
S=Replace (s, "& amp; Copy." , "?" )
S=Replace (s, "& amp; Reg;" , "?" )
S=Replace (s, "& amp; Deg;" , "°")
End the If
HtmlDecode=s
End Function

CodePudding user response:

reference 1st floor csdn_aspnet response:

no matter which side it is ok to do conversion
The Function HtmlDecode (ByVal s)
If from the (s) Then
S=regReplace (s, "& lt; Br \ s */? \ s * & gt;" , vbCrLf)
S=Replace (s, "& amp; nbsp; & nbsp; & Have spent" The CRH (9))
S=Replace (s, "& amp; Quot;" , CRH (34))
S=Replace (s, "& amp; Have spent" The CRH (32))
S=Replace (s, "& amp; # 39;" , CRH (39))
S=Replace (s, "& amp; Apos;" , CRH (39))
S=Replace (s, "& amp; Gt;" , & gt; "" )
S=Replace (s, "& amp; Lt;" , & lt; "" )
S=Replace (s, "& amp; Amp;" The CRH (38))
S=Replace (s, "& amp; # 38;" The CRH (38))
S=Replace (s, "& amp; Times." , "x")
S=Replace (s, "& amp; Divide;" , "the present")
S=Replace (s, "& amp; Frac14;" , "?" )
S=Replace (s, "& amp; Frac12;" , "?" )
S=Replace (s, "& amp; Frac34;" , "?" )
S=Replace (s, "& amp; Plusmn;" , "+")
S=Replace (s, "& amp; Laquo;" , "?" )
S=Replace (s, "& amp; Raquo;" , "?" )
S=Replace (s, "& amp; Copy." , "?" )
S=Replace (s, "& amp; Reg;" , "?" )
S=Replace (s, "& amp; Deg;" , "°")
End the If
HtmlDecode=s
End the Function

Thank you for your answer, but I think this transformation will do on the server side, because the client js transformation and the check can be directly modified with interceptors go round of data submitted to the server, our system is the appraisal department to bypass the js code in place,

CodePudding user response:

Use the HTMLEncode

CodePudding user response:

The browser capabilities,

CodePudding user response:

Defense XSS:
A word to the original poster:

Input filter, the output coding