zoukankan html css js c++ java

如何让Asp.net Web Api全局预防Xss攻击

一、概述

二、什么是XSS

三、预防方法

四、在WebApi中如何实现

　　在实现之前，需要了解ASP.NET WEB API的pipeline机制。

如上，可以采用多种方式进行参数的过滤

1、重写DelegatingHandler的SendAsync方法进行过滤，结合AntiXss类库实现

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Http;
using System.Web.Mvc;
using System.Web.Optimization;
using System.Web.Routing;
using System.Web.Http.Controllers;
using Microsoft.Security.Application;
using System.Reflection;
using System.ComponentModel;
using System.Threading;
using System.Net.Http;

namespace MyNamespace
{
    public class AntiXssHttpMessageHandler : DelegatingHandler
    {
        protected override System.Threading.Tasks.Task<HttpResponseMessage> SendAsync(HttpRequestMessage Request, System.Threading.CancellationToken cancellationToken)
        {
            foreach (var key in Request.RequestUri.ParseQueryString().AllKeys)
            {
                var value = Sanitizer.GetSafeHtmlFragment(Request.RequestUri.ParseQueryString()[key]);
                if (value != Request.RequestUri.ParseQueryString()[key])
                {
                    throw new Exception();
                }
            }
            return base.SendAsync(Request, cancellationToken);
        }
    }
}

 public static class WebApiConfig
    {
        public static void Register(HttpConfiguration config)
        {
            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );

            config.EnableSystemDiagnosticsTracing();
            config.MessageHandlers.Add(new AntiXssHttpMessageHandler());
        }
    }

2、重写ApiControllerActionInvoker的InvokeActionAsync方法

public class XssActionInvoker : ApiControllerActionInvoker {
        public override System.Threading.Tasks.Task<System.Net.Http.HttpResponseMessage> InvokeActionAsync(HttpActionContext filterContext, System.Threading.CancellationToken cancellationToken)
        {
            Dictionary<string, object> changeDictionary = new Dictionary<string, object>();
            foreach (var para in filterContext.ActionArguments)
            {
                if (para.Value.GetType()==typeof(string))
                {
                    var value = para.Value as string;
                    if (!string.IsNullOrWhiteSpace(value))
                    {
                        value = Sanitizer.GetSafeHtmlFragment(value);
                        changeDictionary.Add(para.Key, value);
                    }
                }
            }
            foreach (var changePara in changeDictionary)
            {
                filterContext.ActionArguments[changePara.Key] = changePara.Value;
            }
            return base.InvokeActionAsync(filterContext, cancellationToken);
        }
    }

 public class WebApiApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {

            GlobalConfiguration.Configuration.Services.Replace(typeof(IHttpActionInvoker), new XssActionInvoker());
        }
    }

查看全文

相关阅读:
表单参数使用场景
 [自己项目中的]表单定制的限制
 堂妹发给我的
 处理针式打印的宽度超界的一些办法（一）
delegate或event序列化的一个问题
 让图片出现幻影效果的CSS代码
 鼠标悬停出现图片提示的代码
 用CSS实现的图片透明度链接效果代码
 让图片水平循环飞舞的JavaScript代码
 Javascript+CSS实现漂亮带缓冲效果的图片展示代码

原文地址：https://www.cnblogs.com/ruanyifeng/p/4739807.html