脚本安全

代码：asp.net防止XSS攻击

香水坏坏发表于2008-3-10 [ASP.NET]
C#代码
1. /// <summary>
2. /// 过滤xss攻击脚本
3. /// </summary>
4. /// <param name="input">传入字符串</param>
5. /// <returns>过滤后的字符串</returns>
6. public string FilterXSS(string html)
7. {
8. if (string.IsNullOrEmpty(html)) return string.Empty;
10. // CR(0a) ，LF(0b) ，TAB(9) 除外，过滤掉所有的不打印出来字符.
11. // 目的防止这样形式的入侵＜java\0script＞
12. // 注意：\n, \r, \t 可能需要单独处理，因为可能会要用到
13. string ret = System.Text.RegularExpressions.Regex.Replace(
14. html, "([\x00-\x08][\x0b-\x0c][\x0e-\x20])", string.Empty);
16. //替换所有可能的16进制构建的恶意代码
17. //<IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&_#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
18. string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()~`;:?+/={}[]-_|'\"\\";
19. for (int i = 0; i < chars.Length; i++)
20. {
21. ret = System.Text.RegularExpressions.Regex.Replace(ret, string.Concat("(&#[x|X]0{0,}", Convert.ToString((int)chars[i], 16).ToLower(), ";?)"),
22. chars[i].ToString(), System.Text.RegularExpressions.RegexOptions.IgnoreCase);
23. }
25. //过滤\t, \n, \r构建的恶意代码
26. string[] keywords = {"javascript", "vbscript", "expression", "applet", "meta", "xml", "blink", "link", "style", "script", "embed", "object", "iframe", "frame", "frameset", "ilayer", "layer", "bgsound", "title", "base"
27. ,"onabort", "onactivate", "onafterprint", "onafterupdate", "onbeforeactivate", "onbeforecopy", "onbeforecut", "onbeforedeactivate", "onbeforeeditfocus", "onbeforepaste", "onbeforeprint", "onbeforeunload", "onbeforeupdate", "onblur", "onbounce", "oncellchange", "onchange", "onclick", "oncontextmenu", "oncontrolselect", "oncopy", "oncut", "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "ondblclick", "ondeactivate", "ondrag", "ondragend", "ondragenter", "ondragleave", "ondragover", "ondragstart", "ondrop", "onerror", "onerrorupdate", "onfilterchange", "onfinish", "onfocus", "onfocusin", "onfocusout", "onhelp", "onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete", "onload", "onlosecapture", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", "onmove", "onmoveend", "onmovestart", "onpaste", "onpropertychange", "onreadystatechange", "onreset", "onresize", "onresizeend", "onresizestart", "onrowenter", "onrowexit", "onrowsdelete", "onrowsinserted", "onscroll", "onselect", "onselectionchange", "onselectstart", "onstart", "onstop", "onsubmit", "onunload"};
29. bool found = true;
30. while (found)
31. {
32. var retBefore = ret;
33. for (int i = 0; i < keywords.Length; i++)
34. {
35. string pattern = "/";
36. for (int j = 0; j < keywords[i].Length; j++)
37. {
38. if (j > 0)
39. pattern = string.Concat(pattern, '(', "(&#[x|X]0{0,8}([9][a][b]);?)?", "|(&#0{0,8}([9][10][13]);?)?",
40. ")?");
41. pattern = string.Concat(pattern, keywords[i][j]);
42. }
43. string replacement = string.Concat(keywords[i].Substring(0, 2), "＜x＞", keywords[i].Substring(2));
44. ret = System.Text.RegularExpressions.Regex.Replace(ret, pattern, replacement, System.Text.RegularExpressions.RegexOptions.IgnoreCase);
45. if (ret == retBefore)
46. found = false;
47. }
49. }
51. return ret;
52. }
随着攻击漏洞的发现，此API可能还不尽完善，大家有什么想法和意见都可以评论一起交流呵呵
Hits: 316 Feedback: 1 标签：脚本安全 Trackback Permalink: http://www.aspstat.com/132

FIRST 1 LAST

Take Up With Web Technology–坏坏的网志

代码：asp.net防止XSS攻击

联系我[Contact Me]

分类[Category]

存档[Storage]

热门日志

最近网志

最新评论

链接[Links]

在线[Last 10 Online Users]

订阅[Subscribe]