使用antixss防御xss
来源:互联网 发布:如何卸载指南针软件 编辑:程序博客网 时间:2024/05/20 13:07
msi安装程序,安装之后,安装目录下有以下文件
AntiXSS.chm 包括类库的操作手册参数说明
HtmlSanitizationLibrary.dll 包含Sanitizer类(输入白名单)
AntiXSSLibrary.dll 包含Antixss,Encoder类(输出转义)
使用时在工程内添加引用HtmlSanitizationLibrary.dll 和AntiXSSLibrary.dll
导入命名空间using Microsoft.Security.Application;
1、输入白名单
调用Sanitizer.GetSafeHtmlFragment方法即可,url_c未过滤后的干净字串
url = Request.QueryString["url"];
url_c = Sanitizer.GetSafeHtmlFragment(url);
Response.Write(url_c);
2、输出转义
//HTML内容编码
html_cont = Encoder.HtmlEncode(url);
//html_cont = url;
//HTML属性编码
input1.Value = Encoder.HtmlAttributeEncode(url);
//input1.Value = url;
//对js进行编码
url_c = Encoder.JavaScriptEncode(url);
//url_c = url;
//URL编码
img1.Src = Encoder.UrlEncode(url);
//img1.Src = url;
XmlDocument xmlDoc;
XmlNodeList nodeList;
//XML属性编码
isbn = Encoder.XmlAttributeEncode(Request.QueryString["isbn"]);
if (isbn != null)
{
xmlDoc = new XmlDocument();
xmlDoc.Load(Server.MapPath("db.xml"));
nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;
foreach (XmlNode xn in nodeList)
{
XmlElement xe = (XmlElement)xn;
if (xe.GetAttribute("genre") == "张三")
{
xe.SetAttribute("ISBN", isbn);
}
}
xmlDoc.Save(Server.MapPath("db.xml"));
}
//XML内容编码
price = Encoder.XmlEncode(Request.QueryString["price"]);
price = Request.QueryString["price"];
if (price != null)
{
xmlDoc = new XmlDocument();
xmlDoc.Load(Server.MapPath("db.xml"));
nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;
foreach (XmlNode xn in nodeList)
{
XmlElement xe = (XmlElement)xn;
if (xe.GetAttribute("genre") == "张三")
{
XmlNodeList nls = xe.ChildNodes;
foreach (XmlNode xn1 in nls)
{
XmlElement xe2 = (XmlElement)xn1;
if (xe2.Name == "price")
{
xe2.InnerText = price;
}
}
}
}
xmlDoc.Save(Server.MapPath("db.xml"));
}
以下为表示层
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
<form action="" id="form1" method="post">
<table border="1">
<tr>
<td width="100">类型</td>
<td width="300">POC clickme</td>
<td width="500">result</td>
</tr>
<tr>
<td>HTML内容</td>
<td><a href="?url=%3Cscript%3Ealert('xss')%3C/script%3E" ><script>alert('xss')</script></a></td>
<td><pre id="h1" runat="server" ><%=html_cont %></pre></td>
</tr>
<tr>
<td>HTML属性</td>
<td><a href="?url=%22%20src=%22javascript:alert('xss')%22" >" src="javascript:alert('xss')"</a></td>
<td><input id="input1" runat="server"/></td>
</tr>
<tr>
<td>js</td>
<td><a href="?url=test';alert(1);'">test';alert(1);'</td>
<td>
<script type="text/javascript">
var url = <%=url_c %>;
</script>
</td>
</tr>
<tr>
<td>URL</td>
<td><a href="?url=javascript:alert('xss')" >javascript:alert('xss')</a></td>
<td><img id="img1" runat="server" alt="img1" /></td>
</tr>
<tr>
<td>XML属性编码</td>
<td><a href="?isbn=2-3631-4" >isbn=2-3631-4</a></td>
<td><%=isbn %></td>
</tr>
<tr>
<td>XML内容编码<A href="http://www.2cto.com</td">www.2cto.com</td>
<td><a href="?price=90" >price=90</a></td>
<td><%=price %></td>
</tr>
</table>
</form>
</asp:Content>
AntiXSS.chm 包括类库的操作手册参数说明
HtmlSanitizationLibrary.dll 包含Sanitizer类(输入白名单)
AntiXSSLibrary.dll 包含Antixss,Encoder类(输出转义)
使用时在工程内添加引用HtmlSanitizationLibrary.dll 和AntiXSSLibrary.dll
导入命名空间using Microsoft.Security.Application;
1、输入白名单
调用Sanitizer.GetSafeHtmlFragment方法即可,url_c未过滤后的干净字串
url = Request.QueryString["url"];
url_c = Sanitizer.GetSafeHtmlFragment(url);
Response.Write(url_c);
2、输出转义
//HTML内容编码
html_cont = Encoder.HtmlEncode(url);
//html_cont = url;
//HTML属性编码
input1.Value = Encoder.HtmlAttributeEncode(url);
//input1.Value = url;
//对js进行编码
url_c = Encoder.JavaScriptEncode(url);
//url_c = url;
//URL编码
img1.Src = Encoder.UrlEncode(url);
//img1.Src = url;
XmlDocument xmlDoc;
XmlNodeList nodeList;
//XML属性编码
isbn = Encoder.XmlAttributeEncode(Request.QueryString["isbn"]);
if (isbn != null)
{
xmlDoc = new XmlDocument();
xmlDoc.Load(Server.MapPath("db.xml"));
nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;
foreach (XmlNode xn in nodeList)
{
XmlElement xe = (XmlElement)xn;
if (xe.GetAttribute("genre") == "张三")
{
xe.SetAttribute("ISBN", isbn);
}
}
xmlDoc.Save(Server.MapPath("db.xml"));
}
//XML内容编码
price = Encoder.XmlEncode(Request.QueryString["price"]);
price = Request.QueryString["price"];
if (price != null)
{
xmlDoc = new XmlDocument();
xmlDoc.Load(Server.MapPath("db.xml"));
nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;
foreach (XmlNode xn in nodeList)
{
XmlElement xe = (XmlElement)xn;
if (xe.GetAttribute("genre") == "张三")
{
XmlNodeList nls = xe.ChildNodes;
foreach (XmlNode xn1 in nls)
{
XmlElement xe2 = (XmlElement)xn1;
if (xe2.Name == "price")
{
xe2.InnerText = price;
}
}
}
}
xmlDoc.Save(Server.MapPath("db.xml"));
}
以下为表示层
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
<form action="" id="form1" method="post">
<table border="1">
<tr>
<td width="100">类型</td>
<td width="300">POC clickme</td>
<td width="500">result</td>
</tr>
<tr>
<td>HTML内容</td>
<td><a href="?url=%3Cscript%3Ealert('xss')%3C/script%3E" ><script>alert('xss')</script></a></td>
<td><pre id="h1" runat="server" ><%=html_cont %></pre></td>
</tr>
<tr>
<td>HTML属性</td>
<td><a href="?url=%22%20src=%22javascript:alert('xss')%22" >" src="javascript:alert('xss')"</a></td>
<td><input id="input1" runat="server"/></td>
</tr>
<tr>
<td>js</td>
<td><a href="?url=test';alert(1);'">test';alert(1);'</td>
<td>
<script type="text/javascript">
var url = <%=url_c %>;
</script>
</td>
</tr>
<tr>
<td>URL</td>
<td><a href="?url=javascript:alert('xss')" >javascript:alert('xss')</a></td>
<td><img id="img1" runat="server" alt="img1" /></td>
</tr>
<tr>
<td>XML属性编码</td>
<td><a href="?isbn=2-3631-4" >isbn=2-3631-4</a></td>
<td><%=isbn %></td>
</tr>
<tr>
<td>XML内容编码<A href="http://www.2cto.com</td">www.2cto.com</td>
<td><a href="?price=90" >price=90</a></td>
<td><%=price %></td>
</tr>
</table>
</form>
</asp:Content>
阅读全文
0 0
- 使用antixss防御xss
- 使用antixss防御xss
- 使用antixss防御xss
- XSS防御-使用AntiSamy
- antixss使用
- Antixss使用
- 利用antixss防备xss[网络技术]
- 使用CSP来辅助防御XSS
- AntiXSS - 支持Html同时防止XSS攻击
- AntiXSS - 支持Html同时防止XSS攻击
- AntiXSS - 支持Html同时防止XSS攻击
- AntiXSS - 支持Html同时防止XSS攻击
- AntiXSS - 支持Html同时防止XSS攻击
- AntiXss
- antisamy的配置以及使用实现XSS防御
- antisamy的配置以及使用实现XSS防御
- AntiXSS在页面使用例子
- XSS攻击防御
- Python单例模式的4种实现方法
- 手动搭建Kubernetes1.8高可用集群(7)dnsmasq
- 月薪3000元的“码农”到“Java首席架构师”的经历
- ubuntu系统中查看本机cpu和内存信息的命令和用法(分色排版)
- Dubbo超时和重连机制
- 使用antixss防御xss
- Tip:Css修改input文本框边框焦点样式笔记
- mybatis的逆向工程
- C语言小编程之闰年判断
- ABBYY FineReader 双十二特惠活动正在进行中...
- 妹子图爬虫,最重要的是请求头headers设置'Referer':'http://www.mzitu.com/'
- kubernetes addons dashboard
- Android四大组件之ContentProvider
- 图像处理、显示中的行宽(linesize)、步长(stride)、间距(pitch)