小题大作:.Text中恶意脚本过滤的新方法
我下面所要讲的实现方法,实际上是A Taste of AOP from Solving Problems with OOP and Design Patterns 一文中设计思想的实际应用。实现的原理是:拦截对对象的属性的访问, 在属性返回之前,对属性值进行过滤。
本想好好写一下这篇文章,可测试成功后,急于想把成功与大家分享,再加上成功后的兴奋,竟然感觉脑子里乱七八糟,不知写什么好,算了,先将代码贴出来给大家看看,这样也正好看看大家能不能通过我的代码理解我的实现方法,验证一下我写的代码的可读性。欢迎大家针对我的代码展开批评与讨论:
FilterRealProxy类:一个真实代理, 拦截它所代理对象中方法的返回值,并对需要过滤的返回值进行过滤。
public class FilterRealProxy:RealProxy
{
private MarshalByRefObject target;
public FilterRealProxy(MarshalByRefObject target):base(target.GetType())
{
this.target=target;
}
public override IMessage Invoke(IMessage msg)
{
IMethodCallMessage callMsg=msg as IMethodCallMessage;
IMethodReturnMessage returnMsg = RemotingServices.ExecuteMessage(target,callMsg);
if(this.IsMatchType(returnMsg.ReturnValue))//检查返回值是否为String,如果不是String,就没必要进行过滤
{
string returnValue=this.Filter(returnMsg.ReturnValue.ToString(),returnMsg.MethodName);
return new ReturnMessage(returnValue,null,0,null,callMsg);
}
return returnMsg;
}
protected string Filter(string ReturnValue,string MethodName)
{
MethodInfo methodInfo=target.GetType().GetMethod(MethodName);
object[] attributes=methodInfo.GetCustomAttributes(typeof(StringFilter),true);
foreach (object attrib in attributes)
{
return FilterHandler.Process(((StringFilter)attrib).FilterType,ReturnValue);
}
return ReturnValue;
}
protected bool IsMatchType(object obj)
{
return obj is System.String;
}
}
StringFilter类:自定义属性类, 定义目标元素的过滤类型
public class StringFilter:Attribute
{
public StringFilter(FilterType filterType)
{
this._filterType=filterType;
}
protected FilterType _filterType;
public FilterType FilterType
{
get
{
return _filterType;
}
}
}
枚举类:用于指定过滤类型,例如:对script过滤还是对html进行过滤?
[Flags()]
public enum FilterType
{
Script = 1,
Html =2
}
过滤处理类:根据过滤类型,调用相应的过滤处理方法。
public class FilterHandler
{
private FilterHandler()
{
}
public static string Process(FilterType filterType,string filterContent)
{
switch (filterType)
{
case FilterType.Script:
return FilterScript(filterContent);
break;
case FilterType.Html:
return FilterHtml(filterContent);
break;
default:
return filterContent;
break;
}
}
public static string FilterScript(string content)
{
string regexstr=@"(?i)<script([^>])*>(\w|\W)*</script([^>])*>";
return Regex.Replace(content,regexstr,string.Empty,RegexOptions.IgnoreCase);
}
public static string FilterHtml(string content)
{
string newstr=FilterScript(content);
string regexstr=@"<[^>]*>";
return Regex.Replace(newstr,regexstr,string.Empty,RegexOptions.IgnoreCase);
}
}
public class Entry : MarshalByRefObject
{
public Entry()
{
}
public static Entry CreateInstance()
{
Entry entry=new Entry();
RealProxy realProxy = new FilterRealProxy(entry);
object transparentProxy = realProxy.GetTransparentProxy();
return (Entry)transparentProxy;
}
private string _body;
public virtual string Body
{
[StringFilter(FilterType.Scrtipt)] //通过StringFilter设置实体类的属性是否需要过滤,以及指定过滤的方法
get{return _body;}
set{_body = value;}
}
}
NUnit测试代码:
[Test]
public void EntryTest()
{
Entry en=Entry.CreateInstance();
System.IO.StreamReader sr=new System.IO.StreamReader("script.txt");//得到一个含有script脚本的字符串
en.Body=sr.ReadToEnd();
Console.Write(en.Body);
}
测试结果是得到了一个不含script的字符串。