vb.net 如何在不影响安全性的情况下使用 Server.htmlEncode / Server.htmlDecode?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15250006/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to use Server.htmlEncode / Server.htmlDecode without compromising security?
提问by DreamTeK
QUESTION
题
How to submit html code to a textbox and output as text without compromising security?
如何在不影响安全性的情况下将 html 代码提交到文本框并作为文本输出?
This is what I'm currently trying:
这就是我目前正在尝试的:
DATA GOES IN (SUBMITTED INTO TEXTBOX)
数据输入(提交到文本框)
Dim txtInput As String = Server.HtmlEncode(Me.txtInput.Text)
DATA COMES OUT (READ AS TEXT ON PAGE)
数据出来(阅读页面上的文本)
txtOutput.Text = Server.HtmlDecode(MyText)
Desired output is for the format to be the same as initially entered.
所需的输出格式与最初输入的格式相同。
回答by basher
You should HtmlEncode text you are setting in a textbox:
您应该在文本框中设置 HtmlEncode 文本:
txtOutput.Text = Server.HtmlEncode(MyText)
txtOutput.Text = Server.HtmlEncode(MyText)
And HtmlDecode text you are getting from a textbox:
您从文本框中获得的 HtmlDecode 文本:
MyText = Server.HtmlDecode(txtOutput.Text)
MyText = Server.HtmlDecode(txtOutput.Text)
If you're storing the data in sql then I recommend using parameterized queriesas well. It handles most security concerns, such as SQL injection, for you.
如果您将数据存储在 sql 中,那么我建议您也使用参数化查询。它为您处理大多数安全问题,例如 SQL 注入。
