C# 在C中处理XSS和Unicode字符#
我有一个处理Unicode字符的C代码。下面的代码也对XSS代码进行编码C# 在C中处理XSS和Unicode字符#,c#,unicode,xss,handle,C#,Unicode,Xss,Handle,我有一个处理Unicode字符的C代码。下面的代码也对XSS代码进行编码 String s = "<<SCRIPT>alert("Hack");//<</SCRIPT>"; var resultText = Microsoft.Security.Application.AntiXss.HtmlEncode(s); string encodedValue = HttpUtility.UrlEncode(resultText, Encoding.UTF8).Rep
String s = "<<SCRIPT>alert("Hack");//<</SCRIPT>";
var resultText = Microsoft.Security.Application.AntiXss.HtmlEncode(s);
string encodedValue = HttpUtility.UrlEncode(resultText, Encoding.UTF8).Replace("+", "")
txtResult.Text = encodedValue;// display in the text box in UI
String s=“void Main()
{
字符串_js=@”这甚至可以编译吗?你需要转义那些引号。基本上,这是我构建的一个示例,但我正在寻找解决方案什么是txtreult
?一些webforms控件的Text
属性采用标记,而其他则采用纯文本。对于纯文本控件,根本不需要转义。我不确定URL-escape-a是什么nd删除加号步骤应该实现。
<<SCRIPT>alert("Hack");//<</SCRIPT>
void Main()
{
string _js = @"<<SCRIPT>alert(""Hack+"");//<</SCRIPT>";
// Break it down into bytes
byte[] _bytes = UTF8Encoding.UTF8.GetBytes(_js);
// Use the single unicode character literal representation of the characters wanting to strip
// '+' = +, etc...
byte[] _sanatizedBytes = _bytes.Where(b => b != '+').ToArray();
// Dump the bytes back into a UTF8 string
string sanitizedJavascript = UTF8Encoding.UTF8.GetString(_sanatizedBytes);
string _safeJavascript = Microsoft.Security.Application.Encoder.HtmlEncode(sanitizedJavascript);
string decode = HttpUtility.HtmlDecode(_safeJavascript);
var txtdecoded = new TextBox() { Text = decode};
}