C# 防XSS攻击 示例
思路: 对程序代码进行过滤非法的关键字
新建控制台程序,编写代码测试过滤效果
class Program { static void Main(string[] args) { //GetStrRegex(); Console.WriteLine("请输入字符串:"); string str = Console.ReadLine(); for (int i = 0; i < 100; i++) { Test(str); } } static void Test(string str) { Console.WriteLine("请输入正则表达式:"); string StrRegex = Console.ReadLine(); str = Regex.Replace(str, StrRegex, "", RegexOptions.IgnoreCase); Console.WriteLine($"处理后的字符串为:{str}"); } }
输入字符串测试及正则表达式,观察测试效果
字符串:<script>(script)</script><style>alert("中国伟大复兴")</style><h1>111</h1><h2>222</h2>drop delete <div style=""> select update exec trunc database table index @@@hao好的// 中国。湖北。武汉&& 湖北-- 中国加油! 正则表达式:
a: <[^>]*|
b: <[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)
经过多次测试,选择你所认为合适的正则表达式
下面是我目前选择的正则表达式,你可以根据需要进行修改
static string GetStrRegex() { List<string> strList = new List<string>(); List<string> htmlList = new List<string>() { "<h1>","<h2>","<h3>","<h4>","<h5>","<h6>","<style>","<script>","javascript","onload","onerror","eval","alert","prompt"}; List<string> sqlList = new List<string>() { "select","update","delete","drop","trunc","exec","table","database","or","and"}; List<string> chList = new List<string>() { "//","--", "@", "&" ,"||"}; strList.AddRange(htmlList); strList.AddRange(sqlList); strList.AddRange(chList); string strRegex = string.Join("|", strList.ToArray()); Console.WriteLine($"你的正则表达式是{strRegex}"); return strRegex; }
测试效果
其实最简单的做法就是url编码、html编码一下就可以了
付费内容,请联系本人QQ:1002453261
本文来自博客园,作者:明志德道,转载请注明原文链接:https://www.cnblogs.com/for-easy-fast/p/12968860.html