asp防止xss(防xss过滤js脚本)

文章摘要：asp防止xss(防xss过滤js脚本)

asp网站空间过滤xss攻击的方法： 1、在web.config中添加httpModules节点； 2. 写一 […]

asp网站空间过滤xss攻击的方法： 1、在web.config中添加httpModules节点； 2. 写一个过滤器过滤危险的关键词，并添加一个安全的header。

建站教程网内容如下：

1．在web.config中添加httpModules节点

2.编写另一个过滤器

using System;

using System.Collections.Generic;

using System.Configuration;

using System.Linq ;

使用System.Text.RegularExpressions；

使用System.Web；命名空间Org.Core.Commons

{

///

公共类 HttpAccessInterceptModule : IHttpModule

{

private static List _RegexWords;

p>

static HttpAccessInterceptModule()

{

_RegexWords = new List()

{

@" <[^>]+>'",

@"]+>'",

@"<[^>]+?style =[w]+?:expression(|(alert|confirm|prompt|window|location|eval|console|debugger|new|Function|var|let)|^+/v(8| 9)| <[^>]*?=[^>]*?&#[^>]*?>|(and|or).{1,6}?(=|>|<| in b|like)|/*.+?*/|

};

字符串[] keyWords = { };

//{"'", "alert", "script", "case", "catch", "const", "continue", "debugge", " delete", "export*","final","finally","for","function","goto","if","implements","import*","re​​turn","switch"," synchronized", "throw","throws","transient","try","break"}

//new string[] { "select", "insert", "update", "删除", "删除", "截断"};_RegexWords.AddRange(keyWords.Select(o => @"(^|(W+))" + o + @"((W+)|$)")) ;

}public void Dispose()

{

}public void Init(HttpApplication context)

{

< p>context .BeginRequest += new EventHandler(Context_BeginRequest);

context.EndRequest += new EventHandler(Context_EndRequest);

}private void Context_BeginRequest(object sender, EventArgs e)< /p>

{

HttpApplication app = (HttpApplication) sender;

try

{

if (IgnoreRequest(app 。要求。 CurrentExecutionFilePath))

return;RequestFiller(app.Request);

AddHeader(app.Response);

}

catch (异常 ex)

{

if (!(ex is PSBaseException))

PSLog4net.Error(this, ex);

app.Response.Write(ex.Message);

app.Response.Flush();

app.Response.End();

} /p>

}private void Context_EndRequest(object sender, EventArgs e)

{

HttpApplication app = (HttpApplication) sender;SetContentType(app);

< p>}private void RequestFiller(HttpRequest request)

{

string error = "";if (request.Path.IndexOf("/log/", StringComparison.CurrentCultureIgnoreCase)> = 0)

error = "不允许访问/log/目录";

if (string.IsNullOrEmpty(error) &&

request. Path.IndexOf ("/bak/", StringComparison.CurrentCultureIgnoreCase) >= 0)

error = "不允许访问/bak/目录";

if (string .IsNullOrEmpty(error))

{

foreach (request.Params.AllKeys 中的字符串键)

{

if (key == "aspxerrorpath")

continue;

string value = request.Params[key];

if (!string.IsNullOrEmpty(value) && ( value.Contains("jquery.alert") || value.Contains("image")))

继续;

if (!string.IsNullOrEmpty(key))

{

//if (Regex.IsMatch(key, @"W+"))

//{

// error = string.Format("存在访问风险，参数[{0}={1}]无法通过“{2}”验证。", key, value, @"W+");

// break;

< p>// break;

//>

foreach (_RegexWords 中的字符串正则表达式)

{

if (Regex.IsMatch (key, regex, RegexOptions.IgnoreCase ))

{

error = $"存在访问风险，参数[{key}={value}]不能传" {regex}"验证。";

break;

}

}

}if (!string.IsNullOrEmpty(error) )

break;

if (!string.IsNullOrEmpty(value))

{

foreach (_RegexWords 中的字符串正则表达式)< /p>

{

if (Regex.IsMatch(value, regex, RegexOptions.IgnoreCase))

{

error = $"有访问风险，参数 [{key}={value} ]Failed to pass "{regex}" validation.";

break;

}

}

}if (!string .IsNullOrEmpty(error))

break;

}

}if (!string.IsNullOrEmpty (error))

{

Log4net.Error(this, error);

throw new PSBaseException("存在访问风险，请求无法通过系统验证规则。”);

}

}private void AddHeader(HttpResponse response)

{}private void SetContentType(HttpApplication app)

{

如果（应用程序。 Request.Url.AbsolutePath.EndsWith(".png", StringComparison.CurrentCultureIgnoreCase))

app.Response.ContentType = "image/png";

if (string.IsNullOrEmpty( app.Response.ContentType))

app.Response.ContentType = "text/plain; charset=utf-8";

}private bool IgnoreRequest(string requestPath)

{

如果 (requestPath.EndsWith(".assx", StringComparison.CurrentCultureIgnoreCase) ||

requestPath.EndsWith(".sjs", StringComparison.CurrentCultureIgnoreCase) | |

requestPath.EndsWith(".asmx", StringComparison.CurrentCultureIgnoreCase))

返回真；

否则

返回假；

}

}

}