AntiXss类库是一款预防注入攻击的开源类库,它通过白名单机制进行内容编码。目前它支持这些输入类型:XML,HTML,QueryString,HTMLFormURLEncode,Ldap,JavaScript。在日常的开发中我们并不会安全编码像Ldap或JavaScript这样的输入类型,大多都是对XML,QueryString或Form URL进行安全编码。下面是个安全编码XML文件的小例子:
编码XML
static void EncodeXML()
{
string attachedXML = @"<shoppingcart>
<item date='2013/6/8'>
<id>1</id>
<name>book</name>
<price>80</price>
<discount>10</discount>
</item>
<item date='2013/6/9'>
<id>1</id>
<name><attack you!</name>
<price>&80</price>
<discount>10</discount>
</item>
</shoppingcart>";
Regex extractRegex = new Regex(@"<item\s+date=['|""](.+?)['|""]\s*?>\s*<id>(.*?)</id>\s*<name>(.*?)</name>\s*<price>(.*?)</price>\s*<discount>(.*?)</discount>\s*</item>");
string xmlNodeFormat = @"<item date='{0}'><id>{1}</id><name>{2}</name><price>{3}</price><discount>{4}</discount></item>";
StringBuilder safeXml = new StringBuilder();
MatchCollection matches = extractRegex.Matches(attachedXML);
safeXml.AppendLine("<shoppingcart>");
foreach (Match item in matches)
{
safeXml.AppendLine(string.Format(xmlNodeFormat, AntiXssLibrary.Encoder.XmlEncode(item.Groups[1].Value)
, AntiXssLibrary.Encoder.XmlEncode(item.Groups[2].Value)
, AntiXssLibrary.Encoder.XmlEncode(item.Groups[3].Value)
, AntiXssLibrary.Encoder.XmlEncode(item.Groups[4].Value)
, AntiXssLibrary.Encoder.XmlEncode(item.Groups[5].Value)));
}
safeXml.AppendLine("</shoppingcart>");
Console.WriteLine("unsafe xml:\n" + attachedXML);
Console.WriteLine("safe xml:\n" + safeXml);
/*OUT PUT
<shoppingcart>
<item date='2013/6/8'>
<id>1</id>
<name>book</name>
<price>80</price>
<discount>10</discount>
</item>
<item date='2013/6/9'>
<id>1</id>
<name><attack you!</name>
<price>&80</price>
<discount>10</discount>
</item>
</shoppingcart>
*/
}
常见的注入类型攻击
AntiXssLibrary下载