使用 ASP.NET MVC 防止 JS 注入
我希望允许用户将 HTML 发布到网站,但需要确保没有 Javascript 注入到网站中。
到目前为止,我已经创建了一个验证属性来检查传入的 html 是否存在狡猾的行为,
[AttributeUsage(AttributeTargets.Property,
AllowMultiple = false, Inherited = true)]
public class CheckHtml : ValidationAttribute, IMetadataAware {
private static Regex _check = new Regex(
@"<script[^>]*>.*?<\/script>|<[^>]*(click|mousedown|mouseup|mousemove|keypress|keydown|keyup)[^>]*>",
RegexOptions.Singleline|RegexOptions.IgnoreCase|RegexOptions.Compiled);
protected override ValidationResult IsValid(
object value, ValidationContext validationContext) {
if(value!=null
&& _check.IsMatch(value.ToString())){
return new ValidationResult("Content is not acceptable");
}
return ValidationResult.Success;
}
/// <summary>
/// <para>Allow Html</para>
/// </summary>
public void OnMetadataCreated(ModelMetadata metadata) {
if (metadata == null) {
throw new ArgumentNullException("metadata");
}
metadata.RequestValidationEnabled = false;
}
}
这足够了吗? 你会做什么来检查这种顽皮行为?
I would like to allow users to post HTML to a site but need to ensure that no Javascript is injected into the site.
So far I have created a validation attribute to check the incoming html for dodgy doings
[AttributeUsage(AttributeTargets.Property,
AllowMultiple = false, Inherited = true)]
public class CheckHtml : ValidationAttribute, IMetadataAware {
private static Regex _check = new Regex(
@"<script[^>]*>.*?<\/script>|<[^>]*(click|mousedown|mouseup|mousemove|keypress|keydown|keyup)[^>]*>",
RegexOptions.Singleline|RegexOptions.IgnoreCase|RegexOptions.Compiled);
protected override ValidationResult IsValid(
object value, ValidationContext validationContext) {
if(value!=null
&& _check.IsMatch(value.ToString())){
return new ValidationResult("Content is not acceptable");
}
return ValidationResult.Success;
}
/// <summary>
/// <para>Allow Html</para>
/// </summary>
public void OnMetadataCreated(ModelMetadata metadata) {
if (metadata == null) {
throw new ArgumentNullException("metadata");
}
metadata.RequestValidationEnabled = false;
}
}
Is this going to be enough?
What do you do to check for such naughtyness?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
查看 Microsoft AntiXSS 库。它拥有一个
AntiXSS.GetSafeHtmlFragment()方法,该方法返回去除了所有 XSS 缺陷的 HTML。正如大卫所指出的,白名单始终是最佳选择。 AntiXSS 使用 HTML 元素/属性的白名单来抵御 XSS/过滤掉 JavaScript。
Take a look at the Microsoft AntiXSS library. It boasts a
AntiXSS.GetSafeHtmlFragment()method which returns the HTML stripped of all the XSS-badness.As David has pointed out, a white list is always the way to go. AntiXSS uses a whitelist of HTML elements/attributes that are safe against XSS / filters out JavaScript.
不,这是黑名单。黑名单是远远不够的。
不,它是一个正则表达式。正则表达式在处理任意 HTML 时毫无用处。
适当的 HTML 解析器与白名单相结合。
No. It is a blacklist. A blacklist is never enough.
No. It is a regular expression. Regular expressions are rubbish at dealing with arbitrary HTML.
A proper HTML parser combined with a whitelist.
Jeff Atwood 在重构我的代码时就这个主题进行了很好的讨论。绝对值得花时间检查一下: http://refactormycode.com/codes/333-sanitize- html
最终的重构版本应该非常可靠。安全性从来都不是 100% 的事情,但这可能比大多数其他例子要好。
Jeff Atwood had a nice discussion of this topic over on refactor my code. Definitely worth the time to check it out: http://refactormycode.com/codes/333-sanitize-html
The final refactored version should be pretty solid. Security is never a 100% type of thing but this is probably better than most other examples floating around.