HtmlAgilityPackSanitizerProvider不工作我做错了吗?

时间:2013-04-22 13:29:34

标签: c# asp.net xss html-agility-pack

Asp.net 4.5,IIS 8

清洁剂甚至没有删除这个简单的脚本

<script>alert('error')</script>

好的,我的配置

 <asp:TextBox ID="txtMessageBody" TextMode="MultiLine" Height="500px" runat="server"
 CssClass="MessageSendArea" MaxLength="4000" ClientIDMode="Static" />

        <ajaxToolkit:HtmlEditorExtender ID="htmlEditorExtender1" TargetControlID="txtMessageBody"
                    runat="server" DisplaySourceTab="True">
                    <Toolbar>
                        <ajaxToolkit:Undo />
                        <ajaxToolkit:Redo />
                        <ajaxToolkit:Bold />
                        <ajaxToolkit:Italic />
                        <ajaxToolkit:Underline />
                        <ajaxToolkit:StrikeThrough />
                        <ajaxToolkit:Subscript />
                        <ajaxToolkit:Superscript />
                        <ajaxToolkit:JustifyLeft />
                        <ajaxToolkit:JustifyCenter />
                        <ajaxToolkit:JustifyRight />
                        <ajaxToolkit:JustifyFull />
                        <ajaxToolkit:InsertOrderedList />
                        <ajaxToolkit:InsertUnorderedList />
                        <ajaxToolkit:CreateLink />
                        <ajaxToolkit:UnLink />
                        <ajaxToolkit:RemoveFormat />
                        <ajaxToolkit:SelectAll />
                        <ajaxToolkit:UnSelect />
                        <ajaxToolkit:Delete />
                        <ajaxToolkit:Cut />
                        <ajaxToolkit:Copy />
                        <ajaxToolkit:Paste />
                        <ajaxToolkit:BackgroundColorSelector />
                        <ajaxToolkit:ForeColorSelector />
                        <ajaxToolkit:FontNameSelector />
                        <ajaxToolkit:FontSizeSelector />
                        <ajaxToolkit:Indent />
                        <ajaxToolkit:Outdent />
                        <ajaxToolkit:InsertHorizontalRule />
                        <ajaxToolkit:HorizontalSeparator />
                    </Toolbar>
                </ajaxToolkit:HtmlEditorExtender>

这是我的webconfig

  <configSections>
<sectionGroup name="system.web">
  <section name="sanitizer" requirePermission="false" type="AjaxControlToolkit.Sanitizer.ProviderSanitizerSection, AjaxControlToolkit"/>
</sectionGroup>

  <trust level="Full"/>
<sanitizer defaultProvider="HtmlAgilityPackSanitizerProvider">
  <providers>
    <add name="HtmlAgilityPackSanitizerProvider" type="AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider"/>
  </providers>
</sanitizer>

这是我的支票

        if (htmlEditorExtender1.SanitizerProvider == null)
    {
        Response.Redirect("PostNewPM.aspx");
    }

这是我发布上述警报脚本消息时得到的结果

&lt;script&gt;alert('error')&lt;/script&gt;

解码后显示给用户

<script>alert('error')</script>

1 个答案:

答案 0 :(得分:0)

添加SanitizerProvider属性,如下所示:

<ajaxToolkit:HtmlEditorExtender ID="htmlEditorExtender1" 
    TargetControlID="txtMessageBody"
    runat="server" DisplaySourceTab="True" 
    SanitizerProvider="HtmlAgilityPackSanitizerProvider">