问题描述
我带codeD使用JavaScript和它传递到我的数据库作为这样的HTML文本属性。
我是说
的JavaScript像串威尔斯&安培; PALS
I encoded an html text property using javascript and pass it into my database as such.I meanthe javascript for string like "Wales&PALS"
encodeURIComponent(e.value);
转换为威尔士%20PALS
converted to "Wales%20PALS"
我想它转换回;从asp.net威尔士和放大器PALS。如何嵌入任何想法
I want to convert it back to "Wales&PALS" from asp.net. Any idea on how to embed
decodeURIComponent(datatablevalues)
在我的asp.net函数返回所需的文本?
in my asp.net function to return the desired text?
推荐答案
作为prevention为我们使用参数化查询或存储过程SQL注入。编码是不是真的适合这一点。如果你希望你的用户的东西添加到您的网站,你想prevent他们注射例如恶意的JavaScript HTML编码是很好的。通过编码字符串,浏览器将只打印出来的内容。你在做什么是你带code中的字符串,将它添加到数据库中,但你尝试去code回原来的状态,并显示它的客户端。这样你容易受到多种JavaScript的注射剂。
As a prevention for SQL injection we use parametrized queries or stored procedures. Encoding isn't really suitable for that. Html encoding is nice if you expect your users to add stuff to your website and you want to prevent them injecting malicious javascript for instance. By encoding the string the browser would just print out the contents. What you're doing is that you encode the string, add it to the database, but then you try to decode it back to the original state and display it for the clients. That way you're vulnerable to many kinds of javascript injections..
如果这就是你何意,没问题,只是知道的后果。知道为什么和怎么做每次你做这样的决定。它有点危险。
If that's what you intended, no problem, just be aware of the consequences. Know "why" and "how" every time you make a decision like this. It's kinda dangerous.
举例来说,如果你想使您的用户添加HTML标记为加强插入的内容的一种手段,对于这种更安全的替代方案是创建你自己的一套标签(或使用现有像BB code),所以输入决不会包含任何HTML标记,当你将其插入到数据库中,简单地分析它首先切换到真正的HTML标签。 Asp.net引擎绝不允许恶意输入的请求时(除非您自愿迫使它这样做),因为你已经控制了解析输入,可以确保它的安全时,你的输出,所以没有必要进行一些额外的处理。
For instance, if you wanted to enable your users to add html tags as a means of enhancing the inserted content, a more secure alternative for this would be to create your own set of tags (or use an existing one like BBCode), so the input never contains any html markup and when you insert it into the database, simply parse it first to switch to real html tags. Asp.net engine will never allow malicious input during a request (unless you voluntarily force it do so) and because you already control parsing the input, you can be sure it's secure when you output it, so there's no need for some additional processing.
你只是一个想法:)
如果你真的坚持做你的方式(EN code - >数据库 - >德code - >输出),我们有一些选项是如何做到这一点。我会告诉你一个例子:
If you really insist on doing it your way (encode -> db -> decode -> output), we have some options how to do that. I'll show you one example:
例如,你可以创建一个新的获取,唯一的财产,这将回报您去codeD数据。 (你还是会保持原来的EN codeD数据如果需要)。事情是这样的:
For instance you could create a new get-only property, that would return your decoded data. (you will still maintain the original encoded data if you need to). Something like this:
public string DecodedData
{
get
{
return HttpUtility.UrlDecode(originalData);
}
}
如果你试图连接code一个HTML的输入,也许你会用不同的编码机制更好。不知道的JavaScript 连接codeURIComponent 能正确解析出HTML。
If you're trying to encode a html input, maybe you'd be better off with a different encoding mechanism. Not sure if javascripts encodeURIComponent can correctly parse out html.
这篇关于使用asp.net中去codeURIComponent的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!