0
正在處理的代碼部分容易受到存儲的XSS的影響。以下是代碼。如何在Asp.net中克服存儲的跨站點腳本漏洞c#
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False" OnRowCancelingEdit="GridView1_RowCancelingEdit"
OnRowEditing="GridView1_RowEditing" OnRowUpdating="GridView1_RowUpdating" OnRowDeleting="GridView1_OnRowDeleting" OnPageIndexChanging="GridView1_PageIndexChanging" Width ="1000px" class="grid">
<Columns>
<asp:TemplateField HeaderText="User Name">
<ItemTemplate>
<asp:Label ID="lbl_Name" runat="server" Text='<%#Eval("Uname") %>'></asp:Label>
</ItemTemplate>
<EditItemTemplate>
<asp:TextBox ID="txt_Name" runat="server" Text='<%#Eval("Uname") %>'></asp:TextBox> //this is the line vulnerable to XSS
</EditItemTemplate>
</asp:TemplateField> </columns>
</asp:GridView>
代碼背後
DataTable dt = new DataTable();
try
{
SqlConnection con = new SqlConnection(conn);
con.Open();
SqlDataAdapter adapt = new SqlDataAdapter("Select Uid,Uname,Utype,Uemail,ClientName,ProjectName,Ulog from usrtable where ClientName='" + clientname + "' and Utype='Admin' or ClientName='" + clientname + "'and Utype='Normal'", con);
**adapt.Fill(dt);**//this is again vulnerable
con.Close();
}
if (dt.Rows.Count > 0)
{
GridView1.DataSource = dt;
GridView1.DataBind();
}
我不熟悉XSS。我經歷了很多文件。它要求我們對數據進行編碼。但在我的情況下,我該如何繼續。我在GV中有許多標籤和文本框作爲項目模板。使用它來更新表格行。
需要代碼隱藏。 – Webbanditten
我編輯過。請檢查源代碼 – Aswini