使用Json.NET
JsonConvert.SerializeObject(new { Property = "<script>alert('o hai');</script>" })
returns
{"Property":"<script>alert('o hai');</script>"}
Is it possible for the value to be escaped by SerializeObject to prevent a hostile script from executing? I'd prefer not to make changes to the object itself.
编辑:理想情况下,我希望将清理集成到SerializeObject调用中,而不必在SerializeObject之前或之后处理该对象.
编辑:JsonConvert.SerializeObject中的字符串输出被赋给脚本挡路中的一个全局变量,我相信这就是xss问题所在.
Functionality to achieve this was added in version 4.5.11
This allows you to add various type of escaping to the output.
This is my LinqPad test:
var settings = new JsonSerializerSettings();
settings.StringEscapeHandling = StringEscapeHandling.EscapeHtml;
var output = JsonConvert.SerializeObject(new { Property = "<script>alert('o hai');</script>" }, settings);
Debug.Print(output);
输出
{"Property":"\u003cscript\u003ealert(\u0027o hai\u0027);\u003c/script\u003e"}
Just as a disclaimer, this isn't a golden bullet to fix xss, but should help you mitigate it a bit given your example.