asp.net防止XSS(脚本)攻击
2011-09-14 13:43
615 查看
/// <summary>
/// 过滤xss攻击脚本
/// </summary>
/// <param name="input">传入字符串</param>
/// <returns>过滤后的字符串</returns>
public string FilterXSS(string html)
{
if (string.IsNullOrEmpty(html)) return string.Empty;
// CR(0a) ,LF(0b) ,TAB(9) 除外,过滤掉所有的不打印出来字符.
// 目的防止这样形式的入侵 <java\0script>
// 注意:\n, \r, \t 可能需要单独处理,因为可能会要用到
string ret = System.Text.RegularExpressions.Regex.Replace(
html, "([\x00-\x08][\x0b-\x0c][\x0e-\x20])", string.Empty);
//替换所有可能的16进制构建的恶意代码
//<IMG SRC=@avascript:a&_#X6Cert('XSS')>
string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()~`;:?+/={}[]-_|'\"\\";
for (int i = 0; i < chars.Length; i++)
{
ret = System.Text.RegularExpressions.Regex.Replace(ret, string.Concat("([x|X]0{0,}", Convert.ToString((int)chars[i], 16).ToLower(), ";?)"),
chars[i].ToString(), System.Text.RegularExpressions.RegexOptions.IgnoreCase);
}
//过滤\t, \n, \r构建的恶意代码
string[] keywords = {"javascript", "vbscript", "expression", "applet", "meta", "xml", "blink", "link", "style", "script", "embed", "object", "iframe", "frame", "frameset", "ilayer", "layer", "bgsound", "title", "base"
,"onabort", "onactivate", "onafterprint", "onafterupdate", "onbeforeactivate", "onbeforecopy", "onbeforecut", "onbeforedeactivate", "onbeforeeditfocus", "onbeforepaste", "onbeforeprint", "onbeforeunload", "onbeforeupdate", "onblur", "onbounce", "oncellchange", "onchange", "onclick", "oncontextmenu", "oncontrolselect", "oncopy", "oncut", "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "ondblclick", "ondeactivate", "ondrag", "ondragend", "ondragenter", "ondragleave", "ondragover", "ondragstart", "ondrop", "onerror", "onerrorupdate", "onfilterchange", "onfinish", "onfocus", "onfocusin", "onfocusout", "onhelp", "onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete", "onload", "onlosecapture", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", "onmove", "onmoveend", "onmovestart", "onpaste", "onpropertychange", "onreadystatechange", "onreset", "onresize", "onresizeend", "onresizestart", "onrowenter", "onrowexit", "onrowsdelete", "onrowsinserted", "onscroll", "onselect", "onselectionchange", "onselectstart", "onstart", "onstop", "onsubmit", "onunload"};
bool found = true;
while (found)
{
var retBefore = ret;
for (int i = 0; i < keywords.Length; i++)
{
string pattern = "/";
for (int j = 0; j < keywords[i].Length; j++)
{
if (j > 0)
pattern = string.Concat(pattern, '(', "([x|X]0{0,8}([9][a][b]);?)?", "|({0,8}([9][10][13]);?)?",
")?");
pattern = string.Concat(pattern, keywords[i][j]);
}
string replacement = string.Concat(keywords[i].Substring(0, 2), "<x>", keywords[i].Substring(2));
ret = System.Text.RegularExpressions.Regex.Replace(ret, pattern, replacement, System.Text.RegularExpressions.RegexOptions.IgnoreCase);
if (ret == retBefore)
found = false;
}
}
return ret;
}
/// 过滤xss攻击脚本
/// </summary>
/// <param name="input">传入字符串</param>
/// <returns>过滤后的字符串</returns>
public string FilterXSS(string html)
{
if (string.IsNullOrEmpty(html)) return string.Empty;
// CR(0a) ,LF(0b) ,TAB(9) 除外,过滤掉所有的不打印出来字符.
// 目的防止这样形式的入侵 <java\0script>
// 注意:\n, \r, \t 可能需要单独处理,因为可能会要用到
string ret = System.Text.RegularExpressions.Regex.Replace(
html, "([\x00-\x08][\x0b-\x0c][\x0e-\x20])", string.Empty);
//替换所有可能的16进制构建的恶意代码
//<IMG SRC=@avascript:a&_#X6Cert('XSS')>
string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()~`;:?+/={}[]-_|'\"\\";
for (int i = 0; i < chars.Length; i++)
{
ret = System.Text.RegularExpressions.Regex.Replace(ret, string.Concat("([x|X]0{0,}", Convert.ToString((int)chars[i], 16).ToLower(), ";?)"),
chars[i].ToString(), System.Text.RegularExpressions.RegexOptions.IgnoreCase);
}
//过滤\t, \n, \r构建的恶意代码
string[] keywords = {"javascript", "vbscript", "expression", "applet", "meta", "xml", "blink", "link", "style", "script", "embed", "object", "iframe", "frame", "frameset", "ilayer", "layer", "bgsound", "title", "base"
,"onabort", "onactivate", "onafterprint", "onafterupdate", "onbeforeactivate", "onbeforecopy", "onbeforecut", "onbeforedeactivate", "onbeforeeditfocus", "onbeforepaste", "onbeforeprint", "onbeforeunload", "onbeforeupdate", "onblur", "onbounce", "oncellchange", "onchange", "onclick", "oncontextmenu", "oncontrolselect", "oncopy", "oncut", "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "ondblclick", "ondeactivate", "ondrag", "ondragend", "ondragenter", "ondragleave", "ondragover", "ondragstart", "ondrop", "onerror", "onerrorupdate", "onfilterchange", "onfinish", "onfocus", "onfocusin", "onfocusout", "onhelp", "onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete", "onload", "onlosecapture", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", "onmove", "onmoveend", "onmovestart", "onpaste", "onpropertychange", "onreadystatechange", "onreset", "onresize", "onresizeend", "onresizestart", "onrowenter", "onrowexit", "onrowsdelete", "onrowsinserted", "onscroll", "onselect", "onselectionchange", "onselectstart", "onstart", "onstop", "onsubmit", "onunload"};
bool found = true;
while (found)
{
var retBefore = ret;
for (int i = 0; i < keywords.Length; i++)
{
string pattern = "/";
for (int j = 0; j < keywords[i].Length; j++)
{
if (j > 0)
pattern = string.Concat(pattern, '(', "([x|X]0{0,8}([9][a][b]);?)?", "|({0,8}([9][10][13]);?)?",
")?");
pattern = string.Concat(pattern, keywords[i][j]);
}
string replacement = string.Concat(keywords[i].Substring(0, 2), "<x>", keywords[i].Substring(2));
ret = System.Text.RegularExpressions.Regex.Replace(ret, pattern, replacement, System.Text.RegularExpressions.RegexOptions.IgnoreCase);
if (ret == retBefore)
found = false;
}
}
return ret;
}
相关文章推荐
- 【记录】ASP.NET XSS 脚本注入攻击
- ASP.NET Core中的OWASP Top 10 十大风险-跨站点脚本攻击 (XSS)
- ASP.NET Core中的OWASP Top 10 十大风险-跨站点脚本攻击 (XSS)
- ASP.NET MVC 防止CSRF攻击
- ASP.NET 防止网站攻击,必须过滤的脚本函数
- ASP.NET中防止注入攻击
- 在ASP.NET中防止注入攻击
- 在ASP.NET中防止注入攻击
- ASP.NET MVC 防止跨站请求伪造(CSRF)攻击的方法
- Asp.net安全架构之xss(跨站脚本)
- ASP.NET脚本过滤-防止跨站脚本攻击
- 如何防止ASP.NET网站遭受CSRF的攻击
- Asp.net安全架构之1:xss(跨站脚本)
- 在ASP.NET中防止注入攻击
- 在ASP.NET中防止注入攻击[翻译]
- asp.net 防止sql 攻击 全站做法
- ASP.NET中防止注入攻击 [转贴]
- asp.net 防止SQL 注入式 攻击
- 在ASP.NET中防止注入攻击
- ASP.NET防止注入攻击