.NET 中具有特定 src 属性值的 IFrame 的反 XSS 清理

发布于 2024-11-13 10:00:18 字数 197 浏览 1 评论 0原文

我希望完成以下任务:使用 AntiXSS 或 AntiSamy 库清理 WYSIWIG 用户输入,但是,允许具有来自特定域的“src”属性的 iframe 标签。有办法做到这一点吗?

我正在考虑用正则表达式以某种方式解析它,并将其替换为类似 {{iframe-begin}} 标记的“< iframe”,然后在控制器逻辑中将其替换为“

谢谢。

I'm looking to accomplish the following: sanitize WYSIWIG user-input using either AntiXSS or AntiSamy libraries, however, allow iframe tags which have "src" attribute from particular domains. Is there a way to accomplish this?

I was thinking about parsing it up with Regex somehow and swapping it out "< iframe" for something like {{iframe-begin}} tag and later on swapping it out in the controller logic with "

Thank you.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

往事风中埋 2024-11-20 10:00:18

我还想为我的 WYSISWIG 编辑器之一进行一些 HTML 清理。

一种方法是使用Microsoft 反跨站脚本库http://msdn.microsoft.com/en-us/library/aa973813.aspx

另一种方法是为 HTML 创建一个白名单解析器。

这是我与 HTML Agility Pack 一起使用的,您可以使用标签和允许的属性配置白名单:

public static class HtmlSanitizer
{
私有静态只读 IDictionary 白名单;
私有静态列表DeletableNodesXpath = new List();

    static HtmlSanitizer()
    {
        Whitelist = new Dictionary<string, string[]> {
            { "a", new[] { "href" } },
            { "strong", null },
            { "em", null },
            { "blockquote", null },
            { "b", null},
            { "p", null},
            { "ul", null},
            { "ol", null},
            { "li", null},
            { "div", new[] { "align" } },
            { "strike", null},
            { "u", null},                
            { "sub", null},
            { "sup", null},
            { "table", null },
            { "tr", null },
            { "td", null },
            { "th", null }
            };
    }

    public static string Sanitize(string input)
    {
        if (input.Trim().Length < 1)
            return string.Empty;
        var htmlDocument = new HtmlDocument();

        htmlDocument.LoadHtml(input);            
        SanitizeNode(htmlDocument.DocumentNode);
        string xPath = HtmlSanitizer.CreateXPath();

        return StripHtml(htmlDocument.DocumentNode.WriteTo().Trim(), xPath);
    }

    private static void SanitizeChildren(HtmlNode parentNode)
    {
        for (int i = parentNode.ChildNodes.Count - 1; i >= 0; i--)
        {
            SanitizeNode(parentNode.ChildNodes[i]);
        }
    }

    private static void SanitizeNode(HtmlNode node)
    {
        if (node.NodeType == HtmlNodeType.Element)
        {
            if (!Whitelist.ContainsKey(node.Name))
            {
                if (!DeletableNodesXpath.Contains(node.Name))
                {                       
                    //DeletableNodesXpath.Add(node.Name.Replace("?",""));
                    node.Name = "removeableNode";
                    DeletableNodesXpath.Add(node.Name);
                }
                if (node.HasChildNodes)
                {
                    SanitizeChildren(node);
                }                  

                return;
            }

            if (node.HasAttributes)
            {
                for (int i = node.Attributes.Count - 1; i >= 0; i--)
                {
                    HtmlAttribute currentAttribute = node.Attributes[i];
                    string[] allowedAttributes = Whitelist[node.Name];
                    if (allowedAttributes != null)
                    {
                        if (!allowedAttributes.Contains(currentAttribute.Name))
                        {
                            node.Attributes.Remove(currentAttribute);
                        }
                    }
                    else
                    {
                        node.Attributes.Remove(currentAttribute);
                    }
                }
            }
        }

        if (node.HasChildNodes)
        {
            SanitizeChildren(node);
        }
    }

    private static string StripHtml(string html, string xPath)
    {
        HtmlDocument htmlDoc = new HtmlDocument();
        htmlDoc.LoadHtml(html);
        if (xPath.Length > 0)
        {
            HtmlNodeCollection invalidNodes = htmlDoc.DocumentNode.SelectNodes(@xPath);
            foreach (HtmlNode node in invalidNodes)
            {
                node.ParentNode.RemoveChild(node, true);
            }
        }
        return htmlDoc.DocumentNode.WriteContentTo(); ;
    }

    private static string CreateXPath()
    {
        string _xPath = string.Empty;
        for (int i = 0; i < DeletableNodesXpath.Count; i++)
        {
            if (i != DeletableNodesXpath.Count - 1)
            {
                _xPath += string.Format("//{0}|", DeletableNodesXpath[i].ToString());
            }
            else _xPath += string.Format("//{0}", DeletableNodesXpath[i].ToString());
        }
        return _xPath;
    }
}

I also wanted to do some HTML sanitization for one of my WYSISWIG editors.

One aproach is to use the Microsoft Anti-Cross Site Scripting Library. http://msdn.microsoft.com/en-us/library/aa973813.aspx

Another is to create a whitelist parser for HTML.

Here is what I used along with HTML Agility Pack, you can configure the whitelist with tags and allowed atributes:

public static class HtmlSanitizer
{
private static readonly IDictionary Whitelist;
private static List DeletableNodesXpath = new List();

    static HtmlSanitizer()
    {
        Whitelist = new Dictionary<string, string[]> {
            { "a", new[] { "href" } },
            { "strong", null },
            { "em", null },
            { "blockquote", null },
            { "b", null},
            { "p", null},
            { "ul", null},
            { "ol", null},
            { "li", null},
            { "div", new[] { "align" } },
            { "strike", null},
            { "u", null},                
            { "sub", null},
            { "sup", null},
            { "table", null },
            { "tr", null },
            { "td", null },
            { "th", null }
            };
    }

    public static string Sanitize(string input)
    {
        if (input.Trim().Length < 1)
            return string.Empty;
        var htmlDocument = new HtmlDocument();

        htmlDocument.LoadHtml(input);            
        SanitizeNode(htmlDocument.DocumentNode);
        string xPath = HtmlSanitizer.CreateXPath();

        return StripHtml(htmlDocument.DocumentNode.WriteTo().Trim(), xPath);
    }

    private static void SanitizeChildren(HtmlNode parentNode)
    {
        for (int i = parentNode.ChildNodes.Count - 1; i >= 0; i--)
        {
            SanitizeNode(parentNode.ChildNodes[i]);
        }
    }

    private static void SanitizeNode(HtmlNode node)
    {
        if (node.NodeType == HtmlNodeType.Element)
        {
            if (!Whitelist.ContainsKey(node.Name))
            {
                if (!DeletableNodesXpath.Contains(node.Name))
                {                       
                    //DeletableNodesXpath.Add(node.Name.Replace("?",""));
                    node.Name = "removeableNode";
                    DeletableNodesXpath.Add(node.Name);
                }
                if (node.HasChildNodes)
                {
                    SanitizeChildren(node);
                }                  

                return;
            }

            if (node.HasAttributes)
            {
                for (int i = node.Attributes.Count - 1; i >= 0; i--)
                {
                    HtmlAttribute currentAttribute = node.Attributes[i];
                    string[] allowedAttributes = Whitelist[node.Name];
                    if (allowedAttributes != null)
                    {
                        if (!allowedAttributes.Contains(currentAttribute.Name))
                        {
                            node.Attributes.Remove(currentAttribute);
                        }
                    }
                    else
                    {
                        node.Attributes.Remove(currentAttribute);
                    }
                }
            }
        }

        if (node.HasChildNodes)
        {
            SanitizeChildren(node);
        }
    }

    private static string StripHtml(string html, string xPath)
    {
        HtmlDocument htmlDoc = new HtmlDocument();
        htmlDoc.LoadHtml(html);
        if (xPath.Length > 0)
        {
            HtmlNodeCollection invalidNodes = htmlDoc.DocumentNode.SelectNodes(@xPath);
            foreach (HtmlNode node in invalidNodes)
            {
                node.ParentNode.RemoveChild(node, true);
            }
        }
        return htmlDoc.DocumentNode.WriteContentTo(); ;
    }

    private static string CreateXPath()
    {
        string _xPath = string.Empty;
        for (int i = 0; i < DeletableNodesXpath.Count; i++)
        {
            if (i != DeletableNodesXpath.Count - 1)
            {
                _xPath += string.Format("//{0}|", DeletableNodesXpath[i].ToString());
            }
            else _xPath += string.Format("//{0}", DeletableNodesXpath[i].ToString());
        }
        return _xPath;
    }
}
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文