只能判断相对路径:http://localhost:6666/Account/Login?returnUrl=/User/Index
不能判断绝对路径:http://localhost:6666/Account/Login?returnUrl=http://localhost:6666/User/Index
1.防止开放重定向:
/// <summary>/// 防止开放重定向(来自Mvc中的UrlHelper.IsLocalUrl)/// </summary>/// <param name="url"></param>/// <returns></returns>public static bool IsLocalUrl(string url){ ?return !string.IsNullOrEmpty(url) && ((url[0] == ‘/‘ && (url.Length == 1 || (url[1] != ‘/‘ && url[1] != ‘\\‘))) || (url.Length > 1 && url[0] == ‘~‘ && url[1] == ‘/‘));}
2.使用方法:
public void Login(string userName,string password, string returnUrl){//logic code//validate userName passwordif (!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl) ){return Response.Redirect(returnUrl);}return Response.Redirect("/");}
防止开放重定向,恶意篡改returnUrl
原文地址:https://www.cnblogs.com/slwangzi/p/8496508.html