使用Json.NET
JsonConvert.SerializeObject(new { Property = "<script>alert('o hai');</script>" })
returns
{"Property":"<script>alert('o hai');</script>"}
Is it possible for the value to be escaped by SerializeObject to prevent a hostile script from executing? I'd prefer not to make changes to the object itself.
编辑:理想情况下,我希望将清理集成到SerializeObject调用中,而不必在SerializeObject之前或之后处理该对象.
编辑:JsonConvert.SerializeObject
中的字符串输出被赋给脚本挡路中的一个全局变量,我相信这就是xss问题所在.