zoukankan      html  css  js  c++  java

  • net core通过中间件防御Xss

    using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Newtonsoft.Json;
using System.Text.RegularExpressions;
using System.Threading.Tasks;
using VirtualCoin.MvcWeb.Models;

namespace VirtualCoin.MvcWeb.Commmon
{
    public static class RequestValidationExtensions
    {
        public static IApplicationBuilder UseRequestValidation(
           this IApplicationBuilder builder)
        {
            return builder.UseMiddleware<RequestValidation>();
        }
    }

    public class RequestValidation
    {
        private readonly RequestDelegate _next;

        public RequestValidation(RequestDelegate next)
        {
            _next = next;
        }

        public async Task InvokeAsync(HttpContext context)
        {
            const string regRole = @"<[^>]*>";
            Regex rx = new Regex(regRole, RegexOptions.Compiled | RegexOptions.IgnoreCase);

            if (context.Request.Method == "POST")
            {
                try
                {
                    var form = await context.Request.ReadFormAsync();
                    foreach (var item in form.Keys)
                    {
                        if (rx.Matches(form[item]).Count > 0)
                        {

                            await sendErorMsgAsync(context);
                            return;
                        }
                    }
                }
                catch
                {

                }
                foreach (var item in context.Request.Query.Keys)
                {
                    if (rx.Matches(context.Request.Query[item]).Count > 0)
                    {
                        await sendErorMsgAsync(context);
                        return;
                    }
                }
            }
            else if (context.Request.Method == "GET")
            {
                foreach (var item in context.Request.Query.Keys)
                {
                    if (rx.Matches(context.Request.Query[item]).Count > 0)
                    {
                        await sendErorMsgAsync(context);
                        return;
                    }
                }
            }
            await _next(context);
        }

        private async Task sendErorMsgAsync(HttpContext context)
        {
            if (context.Request.Headers["X-Requested-With"] == "XMLHttpRequest")
            {
                context.Response.StatusCode = 200;//laytable等组件没有暴露500回调接口,为了兼容性所以ajax暂时只可以走200
                context.Response.ContentType = "application/Json";
                await context.Response.WriteAsync(JsonConvert.SerializeObject(ResultMessage.Error("提交的数据包含非法字符")));
            }
            else
            {
                //context.Response.StatusCode = 500;
                //context.Response.ContentType = "text/plan;charset=utf8;";
                //await context.Response.WriteAsync("提交的数据包含非法字符");
                var jsCode = string.Format("alert('提交的数据包含非法字符');
window.history.go(-1);");
                await context.Response.WriteAsync(JavaScriptContent(jsCode));

            }
        }



        private string JavaScriptContent(string JsCode)
        {
            var Tag = @"<!doctype html>
            <html>
            <head>
            <meta charset=""utf-8"" />
            <title>...</title>
            </head>
            <body>
            <script type=""text/javascript"">{0}</script>
            </body>
            </html>";
            if (string.IsNullOrEmpty(JsCode))
            {
                JsCode = "";
            }
            return string.Format(Tag, JsCode);
        }
    }
}

      在 startup中注册:

        app.UseRequestValidation();
  • 相关阅读:
    C# 二维数组 排列组合
    highcharts(数据可视化框架),ajax传递数据问题
    EasyPoi导入验证功能
    EasyPoi使用入门
    SSJ(Spring+springMVC+JPA)设置xml文件思路流程
    spring框架设置jdbc
    使用JDBC完成CRUD(增删改查)
    Java的数据类型(常量,变量)
    jdk8的安装与卸载
    Java的第一个你好世界
  • 原文地址:https://www.cnblogs.com/nayilvyangguang/p/12673417.html
Copyright © 2011-2022 走看看