最近有涉及到要防止用户在网页文本框中输入具有风险的敏感字符所以特地编写了一套针对用户输入的字符进行安全过滤的一个方法,在后台接收到用户输入的字符后调用执行该方法即可完成过滤操作,主要使用正则来匹配并替换掉敏感字符!
/// <summary> /// obj向string转换,替换具有风险的敏感字符并去除多余的空格; /// </summary> /// <param name="o"></param> /// <returns></returns> public static string RequestFilter(this object o) { if (o == DBNull.Value || o == null) { return ""; } else { string str = o.ToString().Trim(); //删除脚本 str = Regex.Replace(str, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase); //删除HTML str = Regex.Replace(str, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"([ ])[s]+", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"-->", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"<!--.*", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"&(quot|#34);", """, RegexOptions.IgnoreCase); str = Regex.Replace(str, @"&(amp|#38);", "&", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"&(lt|#60);", "<", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"&(gt|#62);", ">", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"&(nbsp|#160);", " ", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"&(iexcl|#161);", "xa1", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"&(cent|#162);", "xa2", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"&(pound|#163);", "xa3", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"&(copy|#169);", "xa9", RegexOptions.IgnoreCase); str = Regex.Replace(str, @"&#(d+);", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "xp_cmdshell", "", RegexOptions.IgnoreCase); //删除与数据库相关的词 str = Regex.Replace(str, "select", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "insert", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "delete from", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "count''", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "drop table", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "truncate", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "asc", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "mid", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "char", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "xp_cmdshell", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "exec master", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "net localgroup administrators", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "and", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "net user", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "or", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "net", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "delete", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "drop", "", RegexOptions.IgnoreCase); str = Regex.Replace(str, "script", "", RegexOptions.IgnoreCase); str = str.Replace("<", ""); str = str.Replace(">", ""); str = str.Replace("*", ""); str = str.Replace("--", ""); str = str.Replace("?", ""); str = str.Replace(",", ""); str = str.Replace("/", ""); str = str.Replace(";", ""); str = str.Replace("*/", ""); str = str.Replace(" ", ""); return str; } }