Add unparsable cruft to ASP.NET MVC JsonResult

2018-05-29 09:35:35

In light of posts such as these:

JSON unparseable cruft: Why so serious?

Why do people put code like "throw 1; <dont be evil>" and "for(;;);" in front of json responses?

Why does Google prepend while(1); to their JSON responses?

I would like to follow the advice laid out in the following answer: How should web app developers defend against JSON hijacking?

Is there an easy way to add an unparsable cruft to JSON responses built using System.Web.Mvc.JsonResult ? The security.se post suggests that I use </* at the beginning of the response.

You could write a custom action result to perform this:

public class SafeJsonResult: JsonResult
{
    public override void ExecuteResult(ControllerContext context)
    {
        context.HttpContext.Response.Write("</*");
        base.ExecuteResult(context);
    }
}

and then use it instead of the default one:

public ActionResult Index()
{
    return new SafeJsonResult
    {
        Data = new { Foo = "bar" },
        JsonRequestBehavior = JsonRequestBehavior.AllowGet,
    };
}

链接地址: http://www.djcxy.com/p/1314.html

上一篇: 为什么浏览器使用内容执行<script>

下一篇: 将不可解析的cruft添加到ASP.NET MVC JsonResult