XSS vulnerabilities generally occur when an application takes user input and outputs it to a page without validating, encoding or escaping it.
- Validate arguments from events.
- Validate inputs and results from JS interop calls.
- Avoid using (or validate beforehand) user input for .NET to JS interop calls.
- Prevent the client from allocating an unbound amount of memory.
- Data within the component.
-
DotNetObject
references returned to the client. - Guard against multiple dispatches.
- Cancel long-running operations when the component is disposed.
- Avoid events that produce large amounts of data.
- Avoid using user input as part of calls to NavigationManager.NavigateTo and validate user input for URLs against a set of allowed origins first if unavoidable.
- Don't make authorization decisions based on the state of the UI but only from component state.
- Consider using Content Security Policy (CSP) to protect against XSS attacks.
- Consider using CSP and X-Frame-Options to protect against click-jacking.
- Ensure CORS settings are appropriate when enabling CORS or explicitly disable CORS for Blazor apps.
- Test to ensure that the server-side limits for the Blazor app provide an acceptable user experience without unacceptable levels of risk.
ILogger: is responsible to write a log message of a given Log Level.
ILoggerProvider: is responsible to create an instance of ILogger
(you are not supposed to use ILoggerProvider
directly to create a logger)
ILoggerFactory: you can register one or more ILoggerProvider
s with the factory, which in turn uses all of them to create an instance of ILogger
. ILoggerFactory
holds a collection of ILoggerProviders
.
روشی برای بهتر عنوان کردن unhandled exception به کاربر.
در این لینک نیز میتوانید یک ErrorBoundary سفارشی را ملاحظه نمایید.