zoukankan      html  css  js  c++  java
  • 使用antixss防御xss

    AntiXSS,由微软推出的用于防止XSS攻击的一个类库,可实现输入白名单机制和输出转�?/span>
    文章最后有antixx演示工程下载
     
    antixss下载地址
    aspx?id=5242">http://www.microsoft.com/download/en/details.aspx?id=5242
     
    msi安装程序,安装之后,安装目录下有以下文件
    AntiXSS.chm   包括类库的操作手册参数说�?/span>
    HtmlSanitizationLibrary.dll    包含Sanitizer�?输入白名�?
    AntiXSSLibrary.dll    包含Antixss,Encoder�?输出转义)
    使用时在工程内添加引用HtmlSanitizationLibrary.dll 和AntiXSSLibrary.dll
    导入命名空间using Microsoft.Security.Application;
     
    1、输入白名单
    调用Sanitizer.GetSafeHtmlFragment方法即可,url_c未过滤后的干净字串
     
                url = Request.QueryString["url"];
                url_c = Sanitizer.GetSafeHtmlFragment(url);
                Response.Write(url_c);
    2、输出转�?/span>
     
                //HTML内容编码
                html_cont = Encoder.HtmlEncode(url);
                //html_cont = url;
     
                //HTML属性编�?/span>
                input1.Value = Encoder.HtmlAttributeEncode(url);
                //input1.Value = url;
     
                //对js进行编码
                url_c = Encoder.JavaScriptEncode(url);
                //url_c = url;
     
                //URL编码
                img1.Src = Encoder.UrlEncode(url);
                //img1.Src = url;
     
     
                XmlDocument xmlDoc;
                XmlNodeList nodeList;
     
                //XML属性编�?/span>
                isbn = Encoder.XmlAttributeEncode(Request.QueryString["isbn"]);
     
                if (isbn != null)
                {
                    xmlDoc = new XmlDocument();
                    xmlDoc.Load(Server.MapPath("db.xml"));
                    nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;
                    foreach (XmlNode xn in nodeList)
                    {
                        XmlElement xe = (XmlElement)xn;
                        if (xe.GetAttribute("genre") == "张三")
                        {
                            xe.SetAttribute("ISBN", isbn);
                        }
                    }
                    xmlDoc.Save(Server.MapPath("db.xml"));
                }
     
                //XML内容编码
                price = Encoder.XmlEncode(Request.QueryString["price"]);
                price = Request.QueryString["price"];
                if (price != null)
                {
                    xmlDoc = new XmlDocument();
                    xmlDoc.Load(Server.MapPath("db.xml"));
                    nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;
                    foreach (XmlNode xn in nodeList)
                    {
                        XmlElement xe = (XmlElement)xn;
                        if (xe.GetAttribute("genre") == "张三")
                        {
                            XmlNodeList nls = xe.ChildNodes;
                            foreach (XmlNode xn1 in nls)
                            {
                                XmlElement xe2 = (XmlElement)xn1;
                                if (xe2.Name == "price")
                                {
                                    xe2.InnerText = price;
                                }
                            }
                        }
                    }
                    xmlDoc.Save(Server.MapPath("db.xml"));
                }
    以下为表示层
     
    <asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
    <form action="" id="form1" method="post">
    <table border="1">
    <tr>
        <td width="100">类型</td>
        <td width="300">POC clickme</td>
        <td width="500">result</td>
    </tr>
    <tr>
        <td>HTML内容</td>
        <td><a href="?url=%3Cscript%3Ealert(xss)%3C/script%3E" >&lt;script&gt;alert(xss)&lt;/script&gt;</a></td>
        <td><pre id="h1" runat="server" ><%=html_cont %></pre></td>
    </tr>
    <tr>
        <td>HTML属�?lt;/td>
        <td><a href="?url=%22%20src=%22javascript:alert(xss)%22" >&quot; src=&quot;javascript:alert(xss)&quot;</a></td>
        <td><input id="input1" runat="server"/></td>
    </tr>
    <tr>
        <td>js</td>
        <td><a href="?url=test;alert(1);">test;alert(1);</td>
        <td>
            <script type="text/javascript">
                var url = <%=url_c %>;
            </script>
        </td>
    </tr>
    <tr>
        <td>URL</td>
        <td><a href="?url=javascript:alert(xss)" >javascript:alert(xss)</a></td>
        <td><img id="img1" runat="server" alt="img1" /></td>
    </tr>
    <tr>
        <td>XML属性编�?lt;/td>
        <td><a href="?isbn=2-3631-4" >isbn=2-3631-4</a></td>
        <td><%=isbn %></td>
    </tr>
    <tr>
        <td>XML内容编码www.2cto.com</td>
        <td><a href="?price=90" >price=90</a></td>
        <td><%=price %></td>
    </tr>
    </table>
    </form>
    </asp:Content>

  • 相关阅读:
    How do I access arcobjects from python?
    Win7 打开或关闭Windows功能 窗口空白 解决方案(ZZ)
    解释什么叫工作
    电脑城奸商最怕顾客知道的十条经验
    25岁前你要学会放下的八样东西
    必看十大电影
    SQL Server 中查询非中文,非英文,非数字的特殊列
    CHARINDEX 和 PATINDEX
    主流开源数据库的技术特点点评
    information_schema.routines与sysobjects
  • 原文地址:https://www.cnblogs.com/xgbzsc/p/3158520.html
Copyright © 2011-2022 走看看