码迷,mamicode.com
首页 > 其他好文 > 详细

防XSS攻击过滤器

时间:2020-07-28 16:59:08      阅读:62      评论:0      收藏:0      [点我收藏+]

标签:exe   database   match   tab   col   rip   data   date   action   

/// <summary>
    /// 防XSS攻击
    /// date:2020-07-28
    /// </summary>
    public class XssFilter : ActionFilterAttribute
    {
        private const string strRegex = @"<[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            var request = filterContext.RequestContext.HttpContext.Request;
            if (request.HttpMethod == "GET")
            {
                for (int i = 0; i < request.QueryString.Count; i++)
                {
                    var result = CheckData(request.QueryString[i].ToString());
                    if (result)
                    {
                        filterContext.Result = new JsonResult() { Data = new { ret = -1, msg = "提交的数据含有非法字符" }, JsonRequestBehavior = JsonRequestBehavior.AllowGet };
                        break;
                    }
                }
            }
            else
            {
                for (int i = 0; i < request.Form.Count; i++)
                {
                    var result = CheckData(request.Form[i].ToString());
                    if (result)
                    {
                        filterContext.Result = new JsonResult() { Data = new { ret = -5, msg = "提交的数据含有非法字符" } };
                        break;
                    }
                }
            }
        }

        private static bool CheckData(string inputData)
        {
            if (Regex.IsMatch(inputData, strRegex))
            {
                return true;
            }
            else
            {
                return false;
            }
        }
    }

 

防XSS攻击过滤器

标签:exe   database   match   tab   col   rip   data   date   action   

原文地址:https://www.cnblogs.com/nayilvyangguang/p/13391443.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!