做一个用户可以发表评论的功能。。为防止用户提交恶意代码,将用户提交的内容
用Server.HtmlEncode();编码,但是需要用户可以自动编辑样式,可以编写html代码,我该怎么办??过滤关键字吗(如:替换掉alert...)?
这样会不会可能过滤不完整求解
用Server.HtmlEncode();编码,但是需要用户可以自动编辑样式,可以编写html代码,我该怎么办??过滤关键字吗(如:替换掉alert...)?
这样会不会可能过滤不完整求解
Microsoft Anti-Cross Site Scripting Libraryhttp://msdn.microsoft.com/zh-cn/library/aa973813%28en-us%29.aspx另外
How To: Prevent Cross-Site Scripting in ASP.NET
http://msdn.microsoft.com/en-us/library/ff649310.aspxeb 安全威胁与对策
http://msdn.microsoft.com/zh-cn/library/ff648641.aspx
public string wipescript(string html)
{
system.text.regularexpressions.regex regex1 = new system.text.regularexpressions.regex(@"<script[\s\s]+</script *>",system.text.regularexpressions.regexoptions.ignorecase);
system.text.regularexpressions.regex regex2 = new system.text.regularexpressions.regex(@" href *= *[\s\s]*script *:",system.text.regularexpressions.regexoptions.ignorecase);
system.text.regularexpressions.regex regex3 = new system.text.regularexpressions.regex(@" on[\s\s]*=",system.text.regularexpressions.regexoptions.ignorecase);
system.text.regularexpressions.regex regex4 = new system.text.regularexpressions.regex(@"<iframe[\s\s]+</iframe *>",system.text.regularexpressions.regexoptions.ignorecase);
system.text.regularexpressions.regex regex5 = new system.text.regularexpressions.regex(@"<frameset[\s\s]+</frameset *>",system.text.regularexpressions.regexoptions.ignorecase);
html = regex1.replace(html, ""); //过滤<script></script>标记
html = regex2.replace(html, ""); //过滤href=javascript: (<a>) 属性
html = regex3.replace(html, " _disibledevent="); //过滤其它控件的on...事件
html = regex4.replace(html, ""); //过滤iframe
html = regex5.replace(html, ""); //过滤frameset
return html;
}
<script>标签和<iframe>标签,难道就不允许发布吗?
那csdn为什么可以发布呢?用户提交的时候照常提交,读取数据的时候只要把左右尖括号标签替换成html的转义字符就ok了。
string s = "<script>alert('sdf');</script>";
s = s = s.Replace("<","<").Replace(">",">");
this.Response.Write(s);这岂不是更好。
{
private const string EmptyStringJavaScript = "''";
private const string EmptyStringVBS = "\"\"";
private static char[][] WhitelistCodes = InitWhitelistCodes(); public static string HtmlAttributeEncode(string input)
{
if (string.IsNullOrEmpty(input))
{
return string.Empty;
}
int length = 0;
int num2 = input.Length;
char[] chArray = new char[num2 * 8];
for (int i = 0; i < num2; i++)
{
int index = input[i];
if ((WhitelistCodes[index] != null) || (index == 0x20))
{
char[] chArray2 = WhitelistCodes[index];
chArray[length++] = '&';
chArray[length++] = '#';
if (index == 0x20)
{
chArray[length++] = '3';
chArray[length++] = '2';
}
else
{
for (int j = 0; j < chArray2.Length; j++)
{
chArray[length++] = chArray2[j];
}
}
chArray[length++] = ';';
}
else
{
chArray[length++] = input[i];
}
}
return new string(chArray, 0, length);
} public static string HtmlEncode(string input)
{
if (string.IsNullOrEmpty(input))
{
return string.Empty;
}
int length = 0;
int num2 = input.Length;
char[] chArray = new char[num2 * 8];
for (int i = 0; i < num2; i++)
{
int index = input[i];
if (WhitelistCodes[index] != null)
{
char[] chArray2 = WhitelistCodes[index];
chArray[length++] = '&';
chArray[length++] = '#';
for (int j = 0; j < chArray2.Length; j++)
{
chArray[length++] = chArray2[j];
}
chArray[length++] = ';';
}
else
{
chArray[length++] = input[i];
}
}
return new string(chArray, 0, length);
} public static string HtmlEncode(string input, KnownColor clr)
{
if (HttpContext.Current.Request.QueryString["MarkAntiXssOutput"] != null)
{
return ("<span name='#antixssoutput' style ='background-color : " + Color.FromKnownColor(clr).Name + "'>" + HtmlEncode(input) + "</span>");
}
return HtmlEncode(input);
} private static char[][] InitWhitelistCodes()
{
char[][] chArray = new char[0x10000][];
for (int i = 0; i < chArray.Length; i++)
{
if ((((((i >= 0x61) && (i <= 0x7a)) || ((i >= 0x41) && (i <= 90))) || (((i >= 0x30) && (i <= 0x39)) || ((((i == 0x20) || (i == 0x2e)) || ((i == 0x2c) || (i == 0x2d))) || ((i == 0x5f) || ((i >= 0x100) && (i <= 0x24f)))))) || ((((i >= 880) && (i <= 0x7ff)) || ((i >= 0x900) && (i <= 0x18af))) || (((i >= 0x1900) && (i <= 0x1a1f)) || ((i >= 0x1b00) && (i <= 0x1b7f))))) || (((((i >= 0x1e00) && (i <= 0x1fff)) || ((i >= 0x2c00) && (i <= 0x2ddf))) || (((i >= 0x3040) && (i <= 0x312f)) || ((i >= 0x3190) && (i <= 0x31bf)))) || (((((i >= 0x31f0) && (i <= 0x31ff)) || ((i >= 0xa000) && (i <= 0xa4cf))) || (((i >= 0xa720) && (i <= 0xa82f)) || ((i >= 0xa840) && (i <= 0xa87f)))) || (((i >= 0xac00) && (i <= 0xd7af)) || ((i >= 0x4e00) && (i <= 0x9fc3))))))
{
chArray[i] = null;
}
else
{
string str = i.ToString();
int length = str.Length;
char[] chArray2 = new char[length];
for (int j = 0; j < length; j++)
{
chArray2[j] = str[j];
}
chArray[i] = chArray2;
}
}
return chArray;
} public static string JavaScriptEncode(string input)
{
return JavaScriptEncode(input, true);
} public static string JavaScriptEncode(string input, bool flagforQuote)
{
if (string.IsNullOrEmpty(input))
{
if (flagforQuote)
{
return "''";
}
return "";
}
int length = 0;
int num2 = input.Length;
char[] chArray = new char[num2 * 8];
if (flagforQuote)
{
chArray[length++] = '\'';
}
for (int i = 0; i < num2; i++)
{
int index = input[i];
char ch = input[i];
if (WhitelistCodes[index] != null)
{
char[] chArray1 = WhitelistCodes[index];
if (index > 0x7f)
{
chArray[length++] = '\\';
chArray[length++] = 'u';
string str = ((int)ch).ToString("x").PadLeft(4, '0');
chArray[length++] = str[0];
chArray[length++] = str[1];
chArray[length++] = str[2];
chArray[length++] = str[3];
}
else
{
chArray[length++] = '\\';
chArray[length++] = 'x';
string str2 = ((int)ch).ToString("x").PadLeft(2, '0');
chArray[length++] = str2[0];
chArray[length++] = str2[1];
}
}
else
{
chArray[length++] = input[i];
}
}
if (flagforQuote)
{
chArray[length++] = '\'';
}
return new string(chArray, 0, length);
}
}秒杀各种 跨站脚本攻击。用16进制贴代码进来也能过滤,CSDN 要好好学习。前端时间小虎顽皮,到处贴xss给csdn 捣乱。不知道是不是被关小黑屋了,好久不见了。
{
if (string.IsNullOrEmpty(input))
{
return string.Empty;
}
int length = 0;
int num2 = input.Length;
char[] chArray = new char[num2 * 0x18];
for (int i = 0; i < num2; i++)
{
int index = input[i];
string s = input[i].ToString();
if (((WhitelistCodes[index] != null) || (index == 0x20)) || (index == 0x2c))
{
byte[] bytes = Encoding.UTF8.GetBytes(s);
int num5 = bytes.Length;
for (int j = 0; j < num5; j++)
{
char ch = (char)bytes[j];
if (ch <= 'Ā')
{
chArray[length++] = '%';
string str2 = ((int)ch).ToString("x").PadLeft(2, '0');
chArray[length++] = str2[0];
chArray[length++] = str2[1];
}
}
}
else
{
chArray[length++] = input[i];
}
}
return new string(chArray, 0, length);
} public static string UrlEncode(string input, int codepage)
{
if (string.IsNullOrEmpty(input))
{
return string.Empty;
}
int length = 0;
int num3 = input.Length;
char[] chArray = new char[num3 * 0x18];
for (int i = 0; i < num3; i++)
{
int index = input[i];
string s = input[i].ToString();
if (((WhitelistCodes[index] != null) || (index == 0x20)) || (index == 0x2c))
{
byte[] bytes = Encoding.GetEncoding(codepage).GetBytes(s);
int num5 = bytes.Length;
for (int j = 0; j < num5; j++)
{
char ch = (char)bytes[j];
if (ch <= 'Ā')
{
chArray[length++] = '%';
string str2 = ((int)ch).ToString("x").PadLeft(2, '0');
chArray[length++] = str2[0];
chArray[length++] = str2[1];
}
}
}
else
{
chArray[length++] = input[i];
}
}
return new string(chArray, 0, length);
} public static string VisualBasicScriptEncode(string input)
{
if (string.IsNullOrEmpty(input))
{
return "\"\"";
}
int length = 0;
int num2 = input.Length;
char[] chArray = new char[num2 * 12];
bool flag = false;
for (int i = 0; i < num2; i++)
{
int index = input[i];
char ch = input[i];
if (WhitelistCodes[index] != null)
{
if (flag)
{
chArray[length++] = '"';
flag = false;
}
foreach (char ch2 in "&chrw(" + ((uint)ch).ToString() + ")")
{
chArray[length++] = ch2;
}
}
else
{
if (!flag)
{
chArray[length++] = '&';
chArray[length++] = '"';
flag = true;
}
chArray[length++] = input[i];
}
}
if (flag)
{
chArray[length++] = '"';
}
if ((chArray.Length > 0) && (chArray[0] == '&'))
{
return new string(chArray, 1, length - 1);
}
return new string(chArray, 0, length);
} public static string XmlAttributeEncode(string input)
{
return HtmlAttributeEncode(input);
} public static string XmlEncode(string input)
{
return HtmlEncode(input);
}接上