我正在构建一个使用Entity Framework的ASP.NET MVC Web应用程序。用户输入存储在数据库中,稍后会显示其中的一部分。为了防止跨站点脚本,我将在插入之前运行通过AntiXssEncoder.HTMLEncode()保存到数据库的所有用户输入数据。我知道我可以通过该函数手动运行每个字段;但是,我想知道是否有更有效的方式;例如,修改DBConext类以在尝试保存数据之前添加此逻辑。现在,我有这样的事情:
[HttpPost]
public ActionResult ModuleOne(ModuleOneData formData)
{
ModuleOneViewModel vm = new ModuleOneViewModel();
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(authCookie.Value);
Int32 newHireID = Convert.ToInt32(ticket.Name);
Employee newHire = dbContext.Employees.FirstOrDefault(e => e.EmployeeID == newHireID);
String sigFileName = "";
// Pay Selection
newHire.PaySelection = AntiXssEncoder.HtmlEncode(formData.PaySelection, false);
newHire.PaySelectionDate = formData.PaySelectionDate;
newHire.PaySelectionSignature = formData.PaySelectionDate;
等等更多领域。 或者,有没有办法循环传入的POST数据并应用此功能?作为参考,ModuleOneData如下所示:
public class ModuleOneData
{
public int EmployeeID { get; set; }
public String PaySelection { get; set; }
public String PaySelectionSignature { get; set; }
public String PaySelectionDate { get; set; }
public String PaySelectionAccountType { get; set; }
public String PaySelectionAccountNumber { get; set; }
public String PaySelectionRoutingNumber { get; set; }
public HttpPostedFileBase PaySelectionCheck { get; set; }
public String DirectDepositInitials { get; set; }
public String MoneyNetworkInitials { get; set; }
public String WorkCompSignature { get; set; }
public String WorkCompSignatureDate { get; set; }
public String JobDescriptionSignature { get; set; }
public String JobDescriptionSignatureDate { get; set; }
public String MemoSignature { get; set; }
public String MemoSignatureDate { get; set; }
public String CriminalCheckSignature { get; set; }
public String CriminalCheckDate { get; set; }
public String AgeAcknowledgmentSig { get; set; }
public String AgeAcknowledgmentSigDate { get; set; }
public String DocumentReceiptSignature { get; set; }
public String DocumentReceiptDate { get; set; }
public String HandbookSignature { get; set; }
public String HandbookSignatureDate { get; set; }
public String DatingPolicySignature { get; set; }
public String DatingPolicyDate { get; set; }
public String UniformReceiptSignature { get; set; }
public String UniformReceiptDate { get; set; }
public string ageSigData { get; set; }
public string paySigData { get; set; }
public string workCompSigData { get; set; }
public string jobSigData { get; set; }
public string documentSigData { get; set; }
public string handbookSigData { get; set; }
public string uniformSigData { get; set; }
public string criminalSigData { get; set; }
public string harassmentSigData { get; set; }
public string datingSigData { get; set; }
}
感谢您的任何建议。
答案 0 :(得分:1)
不,最“有效”的方法是手动映射每个字段。但是,这是最大的人工干预。
您不应该做的是以任何方式修改dbcontext以执行此操作,因为此时您正在将业务逻辑/验证与数据持久性耦合。
如果您愿意稍微提高性能,可以始终使用反射来遍历所有公共字符串属性,并在每个值上调用HtmlEncode:
var formData = new ModuleOneData();
formData.PaySelection = "test1";
formData.PaySelectionSignature = "test2";
formData
.GetType()
.GetProperties().Where(x => x.GetType() == typeof(string)).ToList()
.ForEach(x =>
x.SetValue(formData, AntiXssEncoder.HtmlEncode(
(string)x.GetValue(formData), false)));
答案 1 :(得分:0)
您应该对输出进行编码(显示时),而不是存储时。