标签:substr bcd agent == null color ase red name
首先新建一个Xss处理的帮助类
public static class XSSHelper
{
///
/// XSS过滤
///
/// html代码
/// 过滤结果
public static string XssFilter(string html)
{
string str = HtmlFilter(html);
return str;
}
///
/// 过滤HTML标记
///
///
///
public static string HtmlFilter(string Htmlstring)
{
string result = Regex.Replace(Htmlstring, @"]*>", String.Empty);
return result;
}
}
///
///sql和xss脚本过滤
///
/// 传入字符串
/// 过滤后的字符串
public static string FilterSqlXss(string objStr)
{
return FilterXSS(FilterSql(objStr));
}
///
/// 过滤sql攻击脚本
///
/// 传入字符串
/// 过滤后的字符串
public static string FilterSql(string objStr)
{
string strXSS = "|‘,‘‘|shell,s hell|cmd,c md|alter,a lter|drop,d rop|union,u nion|exec,e xec|declare,d eclare|delete,d elete|create,c reate|update,u pdate|insert,i nsert|select,s elect|dbo.,d bo.|--,--|\\(,(|\\),)|";
objStr = ReplaceString(objStr,strXSS);
return objStr;
}
///
/// 过滤xss攻击脚本
///
/// 传入字符串
/// 过滤后的字符串
public static string FilterXSS(string html)
{
if (html==null) return "";
// CR(0a) ,LF(0b) ,TAB(9) 除外,过滤掉所有的不打印出来字符.
// 目的防止这样形式的入侵 <java\0script>
// 注意:\n, \r, \t 可能需要单独处理,因为可能会要用到
string ret = System.Text.RegularExpressions.Regex.Replace(
html, "([\x00-\x08][\x0b-\x0c][\x0e-\x20])", string.Empty);
//替换所有可能的16进制构建的恶意代码
//
//:a&_#X6Cert('XSS')>
string chars = "abcdefghijklmnopqrstuvwxyz"+
"ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"+
"!@#$%^&*()~`;:?+/={}[]-_|‘\"\\";
for (int i = 0; i )
{
ret =
System.Text.RegularExpressions.Regex.Replace(ret,
string.Concat("([x|X]0{0,}",
Convert.ToString((int)chars[i], 16).ToLower(),
";?)"),
chars[i].ToString(),
System.Text.RegularExpressions.RegexOptions.IgnoreCase);
}
//过滤\t, \n, \r构建的恶意代码
string[] keywords = {"javascript", "vbscript", "expression",
"applet", "meta", "xml", "blink", "link", "style",
"script", "embed", "object", "iframe", "frame",
"frameset", "ilayer", "layer", "bgsound", "title",
"base" ,"onabort", "onactivate", "onafterprint",
"onafterupdate", "onbeforeactivate", "onbeforecopy",
"onbeforecut", "onbeforedeactivate", "onbeforeeditfocus",
"onbeforepaste", "onbeforeprint", "onbeforeunload",
"onbeforeupdate", "onblur", "onbounce", "oncellchange",
"onchange", "onclick", "oncontextmenu", "oncontrolselect",
"oncopy", "oncut", "ondataavailable", "ondatasetchanged",
"ondatasetcomplete", "ondblclick", "ondeactivate",
"ondrag", "ondragend", "ondragenter", "ondragleave",
"ondragover", "ondragstart", "ondrop", "onerror",
"onerrorupdate", "onfilterchange", "onfinish",
"onfocus", "onfocusin", "onfocusout", "onhelp",
"onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete",
"onload", "onlosecapture", "onmousedown", "onmouseenter",
"onmouseleave", "onmousemove", "onmouseout", "onmouseover",
"onmouseup", "onmousewheel", "onmove", "onmoveend",
"onmovestart", "onpaste", "onpropertychange",
"onreadystatechange", "onreset", "onresize",
"onresizeend", "onresizestart", "onrowenter",
"onrowexit", "onrowsdelete", "onrowsinserted",
"onscroll", "onselect", "onselectionchange",
"onselectstart", "onstart", "onstop", "onsubmit",
"onunload"};
bool found = true;
while (found)
{
string retBefore = ret;
for (int i = 0; i )
{
string pattern = "/";
for (int j = 0; j )
{
if (j > 0)
pattern = string.Concat(pattern,
‘(‘, "([x|X]0{0,8}([9][a][b]);?)?",
"|({0,8}([9][10][13]);?)?",
")?");
pattern = string.Concat(pattern, keywords[i][j]);
}
string replacement =
string.Concat(keywords[i].Substring(0, 2),
"<x>", keywords[i].Substring(2));
ret =
System.Text.RegularExpressions.Regex.Replace(ret,
pattern, replacement,
System.Text.RegularExpressions.RegexOptions.IgnoreCase);
if (ret == retBefore)
found = false;
}
}
return ret;
}
asp.net core2 mvc 基础教程-- XSS & CSRF
标签:substr bcd agent == null color ase red name
原文地址:https://www.cnblogs.com/cqqinjie/p/13303046.html