English 中文(简体)
如何消除危险特性(描述标签)?
原标题:How to remove dangerous characters(ie script tags)?

我很想知道是否有任何类型的C#类或3级政党图书馆消除诸如文字标签等危险特性?

我知道你可以使用ex子,但我也知道,人们可以写上他们手脚的标签,这样你就可以把reg子ool起来,把它看作是科索沃。

我还听到。 紫外线 那么,我很想知道,是否为它规定过任何打字级?

<><>Edit>/strong>

我发现这种形式。 然而,我不相信,这一解决办法是完全的,因为伪装没有任何检验可加以证实,如果在某些地方使用这种文字的人每天都在检测到是否有任何东西,那那将是nic。

Great example (almost), Thanks! A few ways to make it stronger that I saw, though:

1) Use case-insensitive search when looking for links with "javascript:", "vbscript:", "jscript:". For example, the original example would not remove the HTML:

<a href="JAVAscRipt:alert( hi )">click> me</a>

2) Remove any style attributes that contain an expression rule. Internet Explorer evaluates the CSS rule express as script. For example, the following would product a message box:

<div style="width:expression(alert( hi ));">bad> code</div>

3) 拆除标签

I honestly have no idea why "expression" has not been removed from IE - major flaw in my opinion. (Try the div example in internet explorer and you ll see why - even IE8.) I just wish there was an easier/standard way to clean-up html input from a user.

Here s the code updated with these improvements. Let me know if you see anything wrong:

    public string ScrubHTML(string html)
    {
        HtmlDocument doc = new HtmlDocument();
        doc.LoadHtml(html);

        //Remove potentially harmful elements
        HtmlNodeCollection nc = doc.DocumentNode.SelectNodes("//script|//link|//iframe|//frameset|//frame|//applet|//object|//embed");
        if (nc != null)
        {
            foreach (HtmlNode node in nc)
            {
                node.ParentNode.RemoveChild(node, false);

            }
        }

        //remove hrefs to java/j/vbscript URLs
        nc = doc.DocumentNode.SelectNodes("//a[starts-with(translate(@href,  ABCDEFGHIJKLMNOPQRSTUVWXYZ ,  abcdefghijklmnopqrstuvwxyz ),  javascript )]|//a[starts-with(translate(@href,  ABCDEFGHIJKLMNOPQRSTUVWXYZ ,  abcdefghijklmnopqrstuvwxyz ),  jscript )]|//a[starts-with(translate(@href,  ABCDEFGHIJKLMNOPQRSTUVWXYZ ,  abcdefghijklmnopqrstuvwxyz ),  vbscript )]");
        if (nc != null)
        {

            foreach (HtmlNode node in nc)
            {
                node.SetAttributeValue("href", "#");
            }
        }


        //remove img with refs to java/j/vbscript URLs
        nc = doc.DocumentNode.SelectNodes("//img[starts-with(translate(@src,  ABCDEFGHIJKLMNOPQRSTUVWXYZ ,  abcdefghijklmnopqrstuvwxyz ),  javascript )]|//img[starts-with(translate(@src,  ABCDEFGHIJKLMNOPQRSTUVWXYZ ,  abcdefghijklmnopqrstuvwxyz ),  jscript )]|//img[starts-with(translate(@src,  ABCDEFGHIJKLMNOPQRSTUVWXYZ ,  abcdefghijklmnopqrstuvwxyz ),  vbscript )]");
        if (nc != null)
        {
            foreach (HtmlNode node in nc)
            {
                node.SetAttributeValue("src", "#");
            }
        }

        //remove on<Event> handlers from all tags
        nc = doc.DocumentNode.SelectNodes("//*[@onclick or @onmouseover or @onfocus or @onblur or @onmouseout or @ondoubleclick or @onload or @onunload]");
        if (nc != null)
        {
            foreach (HtmlNode node in nc)
            {
                node.Attributes.Remove("onFocus");
                node.Attributes.Remove("onBlur");
                node.Attributes.Remove("onClick");
                node.Attributes.Remove("onMouseOver");
                node.Attributes.Remove("onMouseOut");
                node.Attributes.Remove("onDoubleClick");
                node.Attributes.Remove("onLoad");
                node.Attributes.Remove("onUnload");
            }
        }

        // remove any style attributes that contain the word expression (IE evaluates this as script)
        nc = doc.DocumentNode.SelectNodes("//*[contains(translate(@style,  ABCDEFGHIJKLMNOPQRSTUVWXYZ ,  abcdefghijklmnopqrstuvwxyz ),  expression )]");
        if (nc != null)
        {
            foreach (HtmlNode node in nc)
            {
                node.Attributes.Remove("stYle");
            }
        }

        return doc.DocumentNode.WriteTo();
    }
问题回答

我们有同样的问题: 用户进入超文本,我们希望在X超文本网页上显示。 请注意,它们进入超文本碎块,而不是完整的文件。 我在2010年利用单位测试对许多不同案例进行了研究。

解决办法:

  1. Use Microsoft Anti-Cross Site Scripting Library to remove everything considered unsafe (mainly scripts). Note that this tool doesn t close these tags: img, hr, br and sometimes it closes tags in the wrong order.
  2. Use Tidy.Net to make create almost valid XHTML.
  3. Remove html, head and body tags that Tidy.Net tends to create.
  4. Remove extra line breaks that Tidy.Net creates inside "pre" tags.

这将消除所有联合材料,并产生多数情况下有效的X射线碎片。 它还将消除所有风格的标签。

我尝试的工具有这些问题:

Microsoft Anti-Cross Site forming Library: 是否关闭了这些标签: im、hr、 br首,有时甚至 close倒错误的标签。 不幸的是,无法按部就班。

Tidy.Net: 在主角内设立额外分界线。 (在使用该工具后人工确定)

TidyForNet: 不稳定。 有时给你“Asertion un in bla.c”

Tidy (C-DLL) COM Packper made in VB6: 至少说不实。 页: 1

www.un.org/Depts/DGACM/index_spanish.htm HtmlAgilityPack: 偶尔插入课外休息。 移除线从前tag起。

<Majestic12 RUS-parser: 是否关闭了这些标签: im、hr、 br首,有时甚至 close倒错误的标签。

<>AntiSamy.Net: 这种做法不切实际,因为它使用了J#中写过时的部分。 因此,它不能在64个轨道环境中运行。 在加一面,可以非常定制哪些标签和归属价值。

时间:2011-12-07 10:19:38

How about Encoder.HtmlEncode? VS 2010在尝试使用<代码>时建议使用该编码。 AntiXss.HtmlEncode

时间:2012-08-23 02:04:21

string value = "Here alert( hello ) we go. Visit the " + "http://west-wind.com >West Wind site. " + "http://west-wind.com/images/new.gif /> "; string safestring = Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(value);

以上法典将排除文字标签,使之无法扼杀。

时间:2019-05-29 07:23:10

我将采用内在的方法。 正如我所看到的那样,如果用户想要打破你的方案,他们就会找到这样做的办法。 但是,如果你将多种方法结合起来,使用户投入更加安全。

例如,用一个称为“神秘性”的“强硬变量”,我将把区域执法、技术和革新的特性与仅仅靠手提的普通手工特性结合起来,这只是安全的。

这样做将消除数字上下的一切。

myString = Regex.Replace(myString, "[^a-z0-9]", "", RegexOptions.CaseInsensitive);
myString = myString.replace("/","");
myString = myString.replace("<","");

等等。

您还可以进一步扩大这一范围,删除“并”、“”和“和”性质之间,然后在“和”与“和”之间。

我更喜欢不要使用外部第三方图书馆——除非我不得不这样做——因为你也必须分发图书馆,你再次依靠他人的方案来保障你们的安全,如果他们的软件贵重也容易受到伤害。

时间:2010-06-02 22:38:39


上一篇:
下一篇:


相关问题
Anyone feel like passing it forward?

I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...

时间:2009-11-13 04:17:47 回答:6 展示:1
NSArray s, Primitive types and Boxing Oh My!

I m pretty new to the Objective-C world and I have a long history with .net/C# so naturally I m inclined to use my C# wits. Now here s the question: I feel really inclined to create some type of ...

时间:2009-11-13 04:15:39 回答:4 展示:1
C# Marshal / Pinvoke CBitmap?

I cannot figure out how to marshal a C++ CBitmap to a C# Bitmap or Image class. My import looks like this: [DllImport(@"test.dll", CharSet = CharSet.Unicode)] public static extern IntPtr ...

时间:2009-11-13 03:47:30 回答:1 展示:1
How to Use Ghostscript DLL to convert PDF to PDF/A

How to user GhostScript DLL to convert PDF to PDF/A. I know I kind of have to call the exported function of gsdll32.dll whose name is gsapi_init_with_args, but how do i pass the right arguments? BTW, ...

时间:2009-11-13 03:33:19 回答:3 展示:1
Linqy no matchy

Maybe it s something I m doing wrong. I m just learning Linq because I m bored. And so far so good. I made a little program and it basically just outputs all matches (foreach) into a label control. ...

时间:2009-11-13 03:12:54 回答:2 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全