参考资料:https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting

Customizing the Encoders

By default encoders use a safe list limited to the Basic Latin Unicode range and encode all characters outside of that range as their character code equivalents. This behavior also affects Razor TagHelper and HtmlHelper rendering as it will use the encoders to output your strings.

The reasoning behind this is to protect against unknown or future browser bugs (previous browser bugs have tripped up parsing based on the processing of non-English characters). If your web site makes heavy use of non-Latin characters, such as Chinese, Cyrillic or others this is probably not the behavior you want.

You can customize the encoder safe lists to include Unicode ranges appropriate to your application during startup, in ConfigureServices().

For example, using the default configuration you might use a Razor HtmlHelper like so;

Copy
html
<p>This link text is in Chinese: @Html.ActionLink("汉语/漢語", "Index")</p>

When you view the source of the web page you will see it has been rendered as follows, with the Chinese text encoded;

Copy
html
<p>This link text is in Chinese: <a href="/">汉语/漢語</a></p>

To widen the characters treated as safe by the encoder you would insert the following line into the ConfigureServices()method in startup.cs;

Copy
C#
services.AddSingleton<HtmlEncoder>(

     HtmlEncoder.Create(allowedRanges: new[] { UnicodeRanges.BasicLatin,

                                               UnicodeRanges.CjkUnifiedIdeographs }));

This example widens the safe list to include the Unicode Range CjkUnifiedIdeographs. The rendered output would now become

Copy
html
<p>This link text is in Chinese: <a href="/">汉语/漢語</a></p>

Safe list ranges are specified as Unicode code charts, not languages. The Unicode standard has a list of code charts you can use to find the chart containing your characters. Each encoder, Html, JavaScript and Url, must be configured separately.

Note

Customization of the safe list only affects encoders sourced via DI. If you directly access an encoder via System.Text.Encodings.Web.*Encoder.Default then the default, Basic Latin only safelist will be used.

最新文章

  1. Web Mercator Non-Conformal, Non-Mercator
  2. caffe的python接口学习(6):用训练好的模型(caffemodel)来分类新的图片
  3. python基础回顾1
  4. 开源免费天气预报接口API以及全国所有地区代码!!(国家气象局提供) 【转】
  5. MVC 伪静态
  6. html中隐藏域hidden的作用介绍及使用示例
  7. 如何交换两个等长整形数组使其数组和的差最小(C和java实现)
  8. Leetcode: Increasing Triplet Subsequence
  9. C. Mobile phones
  10. domReady source code, domready源码
  11. [Boost::Polygon]多边形相减得到新的多边形序列
  12. oracle4
  13. 玩转Web之servlet(三)---一张图看懂B/S架构
  14. 这样就算会了PHP么?-4
  15. iOS开发-OC语言 (五)字典
  16. EWS 通过SubscribeToPullNotifications订阅Exchange新邮件提醒
  17. Spring data mongodb @CreatedBy@LastModifiedBy@CreatedBy@LastModifiedBy SpringSecurityAuditorAware,只记录用户名
  18. [ExtJS5学习笔记]第十九节 Extjs5中通过设置form.Panel的FieldSet集合属性控制多个field集合
  19. Volley学习小结
  20. [Ionic] Error: No provider for Http! Error: No provider for Http!

热门文章

  1. HTTP属性管理器 初探
  2. ES6---扩展运算符和rest‘...’(三点运算符),在数组、函数、set/map等中的应用
  3. shiro:hasPermission 标签 :验证当前用户是否拥有指定权限
  4. (暴力求解)Encoding HDU1020
  5. (贪心 map) Flying to the Mars hdu1800
  6. 获取日k数据
  7. 20165232 预备作业3 Linux安装及学习
  8. ELK 安装与基本配置(一)
  9. inux进程/线程调度策略与 进程优先级
  10. mysql 用户及权限管理 小结