Telerik RadGrid 控件如何防止XSS Attack

一：对于服务器端的数据绑定设置，可以：

1）如果是：RadGrid control(RadGrid for asp.net ajax) 版本，则使用HtmlEncode 属性。

<MasterTableView>     <Columns>         <telerik:GridBoundColumn UniqueName="Description" DataField="Description" HtmlEncode="true" />     </Columns> </MasterTableView> 

 

2）如果(RadGrid for asp.net)，只能在ItemDataBound事件中，手动实现了：

protected void RadGrid1_ItemDataBound(object sender, GridItemEventArgs e)     {        if (e.Item is GridDataItem)         {             GridDataItem dataItem = (GridDataItem)e.Item;             

            if (!e.Item.IsInEditMode)

            {

              dataItem["BoundColumnUniqueName"].Text = Server.HtmlEncode(dataItem["BoundColumnUniqueName"].Text); 

             }

           

        }     } 

 

二：对于客户器端的数据绑定设置，使用JavaScript的escape Function() 来实现 （http://www.telerik.com/community/forums/aspnet-ajax/grid/htmlencode-true-not-honoured-on-a-gridboundcolumn-when-using-clientside-data-binding.aspx）

<ClientSettings>     <DataBinding Location="WebService.asmx" SelectMethod="GetData" /> </ClientSettings> 

 

in aspx.cs file

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }  

    [WebMethod]
    public static List<Customer> GetData()
    {
        DataClassesDataContext context = new DataClassesDataContext();
        return context.Customers.Take(10).ToList();
    }
}

 

in aspx file

 

<head runat="server">
    <title></title>
    <telerik:RadScriptBlock runat="server" ID="RadScriptBlock1">
        <script type="text/javascript">
            function pageLoad()
            {
                PageMethods.GetData(loadGrid);
            }

            function loadGrid(result)
            {
                result = ensureDataSource(result);
                var grid = $find("<%=RadGrid1.ClientID %>");
                grid.get_masterTableView().set_dataSource(result);
                grid.get_masterTableView().dataBind();
            }

            function ensureDataSource(result)
            {               
                for (var i = 0, j = result.length; i < j; i++)
                {
                    //ensure current item i.e. result[i] escape();
                }

                return result;
            }
        </script>
    </telerik:RadScriptBlock>
</head>
<body>
    <form id="form1" runat="server">
    <asp:ScriptManager runat="server" ID="ScriptManager1" EnablePageMethods="true"></asp:ScriptManager>
    <div>
   
    <telerik:RadGrid runat="server" ID="RadGrid1"
        AllowPaging="true" AllowFilteringByColumn="true">
        <MasterTableView AutoGenerateColumns="False" CellSpacing="-1" DataKeyNames="CustomerID"
                    >
            <Columns>
                <telerik:GridBoundColumn DataField="CustomerID" HeaderText="CustomerID"
                    ReadOnly="True" SortExpression="CustomerID" UniqueName="CustomerID">
                </telerik:GridBoundColumn>
                <telerik:GridBoundColumn DataField="CompanyName" HeaderText="CompanyName"
                    SortExpression="CompanyName" UniqueName="CompanyName">
                </telerik:GridBoundColumn>
                <telerik:GridBoundColumn DataField="ContactName" HeaderText="ContactName"
                    SortExpression="ContactName" UniqueName="ContactName">
                </telerik:GridBoundColumn>
                <telerik:GridBoundColumn DataField="ContactTitle" HeaderText="ContactTitle"
                    SortExpression="ContactTitle" UniqueName="ContactTitle">
                </telerik:GridBoundColumn>   
            </Columns>
        </MasterTableView>
        <ClientSettings>
            <ClientEvents OnCommand="function(){}" />
        </ClientSettings>
    </telerik:RadGrid>            
   
    </div>
    </form>
</body>

 

 

三：escape例子()

This function encodes special characters, with the exception of: * @ - _ + . /

 

<script type="text/javascript">

document.write(escape("Need tips? Visit W3Schools!"));

</script>

 

输出：

Need%20tips%3F%20Visit%20W3Schools%21