使用antixss防御xss

AntiXSS,由微软推出的用于防止XSS攻击的一个类库,可实现输入白名单机制和输出转义
  文章最后有antixx演示工程下载
  antixss下载地址
  http://www.microsoft.com/download/en/details.aspx?id=5242
  msi安装程序,安装之后,安装目录下有以下文件
  AntiXSS.chm   包括类库的操作手册参数说明
  HtmlSanitizationLibrary.dll    包含Sanitizer类(输入白名单)
  AntiXSSLibrary.dll    包含Antixss,Encoder类(输出转义)
  使用时在工程内添加引用HtmlSanitizationLibrary.dll 和AntiXSSLibrary.dll
  导入命名空间using Microsoft.Security.Application;
  1、输入白名单
  调用Sanitizer.GetSafeHtmlFragment方法即可,url_c未过滤后的干净字串
  url = Request.QueryString["url"];
  url_c = Sanitizer.GetSafeHtmlFragment(url);
  Response.Write(url_c);
  2、输出转义
  //HTML内容编码
  html_cont = Encoder.HtmlEncode(url);
  //html_cont = url;
  //HTML属性编码
  input1.Value = Encoder.HtmlAttributeEncode(url);
  //input1.Value = url;
  //对js进行编码
  url_c = Encoder.JavaScriptEncode(url);
  //url_c = url;
  //URL编码
  img1.Src = Encoder.UrlEncode(url);
  //img1.Src = url;
  XmlDocument xmlDoc;
  XmlNodeList nodeList;
  //XML属性编码
  isbn = Encoder.XmlAttributeEncode(Request.QueryString["isbn"]);
  if (isbn != null)
  {
  xmlDoc = new XmlDocument();
  xmlDoc.Load(Server.MapPath("db.xml"));
  nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;
  foreach (XmlNode xn in nodeList)
  {
  XmlElement xe = (XmlElement)xn;
  if (xe.GetAttribute("genre") == "张三")
  {
  xe.SetAttribute("ISBN", isbn);
  }
  }
  xmlDoc.Save(Server.MapPath("db.xml"));
  }
  //XML内容编码
  price = Encoder.XmlEncode(Request.QueryString["price"]);
  price = Request.QueryString["price"];
  if (price != null)
  {
  xmlDoc = new XmlDocument();
  xmlDoc.Load(Server.MapPath("db.xml"));
  nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;
  foreach (XmlNode xn in nodeList)
  {
  XmlElement xe = (XmlElement)xn;
  if (xe.GetAttribute("genre") == "张三")
  {
  XmlNodeList nls = xe.ChildNodes;
  foreach (XmlNode xn1 in nls)
  {
  XmlElement xe2 = (XmlElement)xn1;
  if (xe2.Name == "price")
  {
  xe2.InnerText = price;
  }
  }
  }
  }
  xmlDoc.Save(Server.MapPath("db.xml"));
  }
  以下为表示层
  <asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
  <form action="" id="form1" method="post">
  <table border="1">
  <tr>
  <td width="100">类型</td>
  <td width="300">POC clickme</td>
  <td width="500">result</td>
  </tr>
  <tr>
  <td>HTML内容</td>
  <td><a href="?url=%3Cscript%3Ealert('xss')%3C/script%3E" >&lt;script&gt;alert('xss')&lt;/script&gt;< /a></td>
  <td><pre id="h1" runat="server" ><%=html_cont %></pre></td>
  </tr>
  <tr>
  <td>HTML属性</td>
  <td><a href="?url=%22%20src=%22javascript:alert('xss')%22" >&quot; src=&quot;javascript:alert('xss')&quot;</a></td>
  <td><input id="input1" runat="server"/></td>
  </tr>
  <tr>
  <td>js</td>
  <td><a href="?url=test';alert(1);'">test';alert(1);'</td>
  <td>
  <script type="text/javascript">
  var url = <%=url_c %>;
  </script>
  </td>
  </tr>
  <tr>
  <td>URL</td>
  <td><a href="?url=javascript:alert('xss')" >javascript:alert('xss')</a></td>
  <td><img id="img1" runat="server" alt="img1" /></td>
  </tr>
  <tr>
  <td>XML属性编码</td>
  <td><a href="?isbn=2-3631-4" >isbn=2-3631-4</a></td>
  <td><%=isbn %></td>
  </tr>
  <tr>
  <td>XML内容编码www.2cto.com</td>
  <td><a href="?price=90" >price=90</a></td>
  <td><%=price %></td>
  </tr>
  </table>
  </form>
  </asp:Content>

posted @ 2012-02-10 11:27  大智若简  阅读(1186)  评论(0编辑  收藏  举报