asp.net core2 mvc 基础教程-- XSS & CSRF

首先新建一个Xss处理的帮助类

    public static class XSSHelper
    {
        /// <summary>
        /// XSS过滤
        /// </summary>
        /// <param name="html">html代码</param>
        /// <returns>过滤结果</returns>
        public static string XssFilter(string html)
        {
            string str = HtmlFilter(html);
            return str;
        }
 
        /// <summary>
        /// 过滤HTML标记
        /// </summary>
        /// <param name="Htmlstring"></param>
        /// <returns></returns>
        public static string HtmlFilter(string Htmlstring)
        {
       
            string result = Regex.Replace(Htmlstring, @"<[^>]*>", String.Empty);
            return result;
        }
    }
 /// <summary>
    ///sql和xss脚本过滤
    /// </summary>
    /// <param name="input">传入字符串</param>
    /// <returns>过滤后的字符串</returns>
    public static string FilterSqlXss(string objStr)
    {
      return FilterXSS(FilterSql(objStr));
    }




    
    /// <summary>
    /// 过滤sql攻击脚本
    /// </summary>
    /// <param name="input">传入字符串</param>
    /// <returns>过滤后的字符串</returns>
    public static string FilterSql(string objStr)
    {
      string strXSS = "|‘,‘‘|shell,s hell|cmd,c md|alter,a lter|drop,d rop|union,u nion|exec,e xec|declare,d eclare|delete,d elete|create,c reate|update,u pdate|insert,i nsert|select,s elect|dbo.,d bo.|--,--|\\(,(|\\),)|";
      objStr = ReplaceString(objStr,strXSS);
      return objStr;
    }




    /// <summary>
    /// 过滤xss攻击脚本
    /// </summary>
    /// <param name="input">传入字符串</param>
    /// <returns>过滤后的字符串</returns>
    public static string FilterXSS(string html)
    {
      if (html==null) return "";
  
      // CR(0a) ,LF(0b) ,TAB(9) 除外,过滤掉所有的不打印出来字符.
      // 目的防止这样形式的入侵 <java\0script>
      // 注意:\n, \r, \t 可能需要单独处理,因为可能会要用到
      string ret = System.Text.RegularExpressions.Regex.Replace(
        html, "([\x00-\x08][\x0b-\x0c][\x0e-\x20])", string.Empty);
  
      //替换所有可能的16进制构建的恶意代码
      //<IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74
      //&#X3A&#X61&_#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
      string chars = "abcdefghijklmnopqrstuvwxyz"+
        "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"+
        "!@#$%^&*()~`;:?+/={}[]-_|‘\"\\";
      for (int i = 0; i < chars.Length; i++)
      {
        ret =
          System.Text.RegularExpressions.Regex.Replace(ret,
          string.Concat("(&#[x|X]0{0,}",
          Convert.ToString((int)chars[i], 16).ToLower(),
          ";?)"),
          chars[i].ToString(),
          System.Text.RegularExpressions.RegexOptions.IgnoreCase);
      }
  
      //过滤\t, \n, \r构建的恶意代码
      string[] keywords = {"javascript", "vbscript", "expression",
                  "applet", "meta", "xml", "blink", "link", "style",
                  "script", "embed", "object", "iframe", "frame",
                  "frameset", "ilayer", "layer", "bgsound", "title",
                  "base" ,"onabort", "onactivate", "onafterprint",
                  "onafterupdate", "onbeforeactivate", "onbeforecopy",
                  "onbeforecut", "onbeforedeactivate", "onbeforeeditfocus",
                  "onbeforepaste", "onbeforeprint", "onbeforeunload",
                  "onbeforeupdate", "onblur", "onbounce", "oncellchange",
                  "onchange", "onclick", "oncontextmenu", "oncontrolselect",
                  "oncopy", "oncut", "ondataavailable", "ondatasetchanged",
                  "ondatasetcomplete", "ondblclick", "ondeactivate",
                  "ondrag", "ondragend", "ondragenter", "ondragleave",
                  "ondragover", "ondragstart", "ondrop", "onerror",
                  "onerrorupdate", "onfilterchange", "onfinish",
                  "onfocus", "onfocusin", "onfocusout", "onhelp",
                  "onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete",
                  "onload", "onlosecapture", "onmousedown", "onmouseenter",
                  "onmouseleave", "onmousemove", "onmouseout", "onmouseover",
                  "onmouseup", "onmousewheel", "onmove", "onmoveend",
                  "onmovestart", "onpaste", "onpropertychange",
                  "onreadystatechange", "onreset", "onresize",
                  "onresizeend", "onresizestart", "onrowenter",
                  "onrowexit", "onrowsdelete", "onrowsinserted",
                  "onscroll", "onselect", "onselectionchange",
                  "onselectstart", "onstart", "onstop", "onsubmit",
                  "onunload"};
  
      bool found = true;
      while (found)
      {
        string retBefore = ret;
        for (int i = 0; i < keywords.Length; i++)
        {
          string pattern = "/";
          for (int j = 0; j < keywords[i].Length; j++)
          {
            if (j > 0)
              pattern = string.Concat(pattern,
                (, "(&#[x|X]0{0,8}([9][a][b]);?)?",
                "|(&#0{0,8}([9][10][13]);?)?",
                ")?");
            pattern = string.Concat(pattern, keywords[i][j]);
          }
          string replacement =
            string.Concat(keywords[i].Substring(0, 2),
            "<x>", keywords[i].Substring(2));
          ret =
            System.Text.RegularExpressions.Regex.Replace(ret,
            pattern, replacement,
            System.Text.RegularExpressions.RegexOptions.IgnoreCase);
          if (ret == retBefore)
            found = false;
        }
  
      }
  
      return ret;
    } 

 

asp.net core2 mvc 基础教程-- XSS & CSRF

上一篇:iOS TouchID & FaceID


下一篇:application.properties 中文乱码问题解决