• .net阻止XSS攻击方法


      <li>
                                    <asp:LinkButton ID="btnSchExcel" runat="server" CssClass="daochu-view" OnClick="btnSchExcel_Click"><i></i><span style="display: inline-block; vertical-align: middle;">导出学校数据</span></asp:LinkButton>
                                </li>
          public static string FilterXSS(this string html)
            {
                if (string.IsNullOrEmpty(html)) return string.Empty;
    
                // CR(0a) ,LF(0b) ,TAB(9) 除外,过滤掉所有的不打印出来字符.    
                // 目的防止这样形式的入侵 <javascript>   
                // 注意:
    , 
    ,  	 可能需要单独处理,因为可能会要用到   
                string ret = System.Text.RegularExpressions.Regex.Replace(
                    html, "([x00-x08][x0b-x0c][x0e-x20])", string.Empty);
    
                //替换所有可能的16进制构建的恶意代码   
                //<IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&_#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>  
                string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()~`;:?+/={}[]-_|'"\";
                for (int i = 0; i < chars.Length; i++)
                {
                    ret = System.Text.RegularExpressions.Regex.Replace(ret, string.Concat("(&#[x|X]0{0,}", Convert.ToString((int)chars[i], 16).ToLower(), ";?)"),
                        chars[i].ToString(), System.Text.RegularExpressions.RegexOptions.IgnoreCase);
                }
    
                //过滤	, 
    , 
    构建的恶意代码  
                string[] keywords = {"javascript","alert", "vbscript", "expression", "applet", "meta", "xml", "blink", "link", "style", "script", "embed", "object", "iframe", "frame", "frameset", "ilayer", "layer", "bgsound", "title", "base"
            ,"onabort", "onactivate", "onafterprint", "onafterupdate", "onbeforeactivate", "onbeforecopy", "onbeforecut", "onbeforedeactivate", "onbeforeeditfocus", "onbeforepaste", "onbeforeprint", "onbeforeunload", "onbeforeupdate", "onblur", "onbounce", "oncellchange", "onchange", "onclick", "oncontextmenu", "oncontrolselect", "oncopy", "oncut", "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "ondblclick", "ondeactivate", "ondrag", "ondragend", "ondragenter", "ondragleave", "ondragover", "ondragstart", "ondrop", "onerror", "onerrorupdate", "onfilterchange", "onfinish", "onfocus", "onfocusin", "onfocusout", "onhelp", "onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete", "onload", "onlosecapture", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", "onmove", "onmoveend", "onmovestart", "onpaste", "onpropertychange", "onreadystatechange", "onreset", "onresize", "onresizeend", "onresizestart", "onrowenter", "onrowexit", "onrowsdelete", "onrowsinserted", "onscroll", "onselect", "onselectionchange", "onselectstart", "onstart", "onstop", "onsubmit", "document","cookie","onunload"};
               
    
                bool found = true;
                while (found)
                {
                    var retBefore = ret;
                    for (int i = 0; i < keywords.Length; i++)
                    {
                        string pattern = "/";
                        for (int j = 0; j < keywords[i].Length; j++)
                        {
                            if (j > 0)
                                pattern = string.Concat(pattern, '(', "(&#[x|X]0{0,8}([9][a][b]);?)?", "|(&#0{0,8}([9][10][13]);?)?",
                                    ")?");
                            pattern = string.Concat(pattern, keywords[i][j]);
                        }
                        string replacement = string.Concat(keywords[i].Substring(0, 2), "<x>", keywords[i].Substring(2));
                        //ret = System.Text.RegularExpressions.Regex.Replace(ret, pattern, replacement, System.Text.RegularExpressions.RegexOptions.IgnoreCase);
                        ret = ret.Replace(keywords[i], "");
                        if (ret == retBefore)
                            found = false;
                    }
    
                }
    
                return ret;
            }
  • 相关阅读:
    Process Stats:了解你的APP怎样使用内存
    具体分析死锁产生的条件与原因
    ABAP 弹出框 函数
    mybatis--foreach,choose 小结
    Nginx 配置 Basic 认证
    spss logistic回归分析结果如何分析
    spss logistic回归分析结果如何分析
    样本方差的抽样分布 χ2(n) 卡方分布_样本方差 卡方分布
    样本方差的抽样分布 χ2(n) 卡方分布_样本方差 卡方分布
    t检验中的t值和p值是什么关系_t检验和p值的关系
  • 原文地址:https://www.cnblogs.com/axu92312/p/13370195.html
Copyright © 2020-2023  润新知