首先新建一个Xss处理的帮助类
public static class XSSHelper { /// <summary> /// XSS过滤 /// </summary> /// <param name="html">html代码</param> /// <returns>过滤结果</returns> public static string XssFilter(string html) { string str = HtmlFilter(html); return str; } /// <summary> /// 过滤HTML标记 /// </summary> /// <param name="Htmlstring"></param> /// <returns></returns> public static string HtmlFilter(string Htmlstring) { string result = Regex.Replace(Htmlstring, @"<[^>]*>", String.Empty); return result; } }
/// <summary> ///sql和xss脚本过滤 /// </summary> /// <param name="input">传入字符串</param> /// <returns>过滤后的字符串</returns> public static string FilterSqlXss(string objStr) { return FilterXSS(FilterSql(objStr)); } /// <summary> /// 过滤sql攻击脚本 /// </summary> /// <param name="input">传入字符串</param> /// <returns>过滤后的字符串</returns> public static string FilterSql(string objStr) { string strXSS = "|‘,‘‘|shell,s hell|cmd,c md|alter,a lter|drop,d rop|union,u nion|exec,e xec|declare,d eclare|delete,d elete|create,c reate|update,u pdate|insert,i nsert|select,s elect|dbo.,d bo.|--,--|\\(,(|\\),)|"; objStr = ReplaceString(objStr,strXSS); return objStr; } /// <summary> /// 过滤xss攻击脚本 /// </summary> /// <param name="input">传入字符串</param> /// <returns>过滤后的字符串</returns> public static string FilterXSS(string html) { if (html==null) return ""; // CR(0a) ,LF(0b) ,TAB(9) 除外,过滤掉所有的不打印出来字符. // 目的防止这样形式的入侵 <java\0script> // 注意:\n, \r, \t 可能需要单独处理,因为可能会要用到 string ret = System.Text.RegularExpressions.Regex.Replace( html, "([\x00-\x08][\x0b-\x0c][\x0e-\x20])", string.Empty); //替换所有可能的16进制构建的恶意代码 //<IMG SRC=@avascript //:a&_#X6Cert('XSS')> string chars = "abcdefghijklmnopqrstuvwxyz"+ "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"+ "!@#$%^&*()~`;:?+/={}[]-_|‘\"\\"; for (int i = 0; i < chars.Length; i++) { ret = System.Text.RegularExpressions.Regex.Replace(ret, string.Concat("(&#[x|X]0{0,}", Convert.ToString((int)chars[i], 16).ToLower(), ";?)"), chars[i].ToString(), System.Text.RegularExpressions.RegexOptions.IgnoreCase); } //过滤\t, \n, \r构建的恶意代码 string[] keywords = {"javascript", "vbscript", "expression", "applet", "meta", "xml", "blink", "link", "style", "script", "embed", "object", "iframe", "frame", "frameset", "ilayer", "layer", "bgsound", "title", "base" ,"onabort", "onactivate", "onafterprint", "onafterupdate", "onbeforeactivate", "onbeforecopy", "onbeforecut", "onbeforedeactivate", "onbeforeeditfocus", "onbeforepaste", "onbeforeprint", "onbeforeunload", "onbeforeupdate", "onblur", "onbounce", "oncellchange", "onchange", "onclick", "oncontextmenu", "oncontrolselect", "oncopy", "oncut", "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "ondblclick", "ondeactivate", "ondrag", "ondragend", "ondragenter", "ondragleave", "ondragover", "ondragstart", "ondrop", "onerror", "onerrorupdate", "onfilterchange", "onfinish", "onfocus", "onfocusin", "onfocusout", "onhelp", "onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete", "onload", "onlosecapture", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", "onmove", "onmoveend", "onmovestart", "onpaste", "onpropertychange", "onreadystatechange", "onreset", "onresize", "onresizeend", "onresizestart", "onrowenter", "onrowexit", "onrowsdelete", "onrowsinserted", "onscroll", "onselect", "onselectionchange", "onselectstart", "onstart", "onstop", "onsubmit", "onunload"}; bool found = true; while (found) { string retBefore = ret; for (int i = 0; i < keywords.Length; i++) { string pattern = "/"; for (int j = 0; j < keywords[i].Length; j++) { if (j > 0) pattern = string.Concat(pattern, ‘(‘, "(&#[x|X]0{0,8}([9][a][b]);?)?", "|(�{0,8}([9][10][13]);?)?", ")?"); pattern = string.Concat(pattern, keywords[i][j]); } string replacement = string.Concat(keywords[i].Substring(0, 2), "<x>", keywords[i].Substring(2)); ret = System.Text.RegularExpressions.Regex.Replace(ret, pattern, replacement, System.Text.RegularExpressions.RegexOptions.IgnoreCase); if (ret == retBefore) found = false; } } return ret; }