C#--正则过滤网页及数据库敏感字符——网络安全

最常见的网络攻击就是跨站脚本攻击和SQL注入。
其他的只要注意数据安全，即数据库返回的数据与前台展示的数据分离，最好不要公用model，一般的等保测试就没问题。

以下针对未在过滤器中统一处理的情况补加单独处理的方式。
如果在过滤器中处理，也是使用以下正则去匹配，总体模式相似。

		//要放在静态类中才能使用
		/// <summary>
        ///过滤单引号及数据库敏感字符
        /// </summary>
        /// <param name="strInput">要过滤的字符串</param>
        /// <returns></returns>
        public static string FilterString(this object strInput)
        {
            string strRtn = string.Empty;
            try
            {
                if (strInput == null)
                {
                    strRtn = string.Empty;
                }
                else
                {
                    strRtn = strInput.ToString();
                    删除脚本
                    strRtn = Regex.Replace(strRtn, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);
                    //删除HTML
                    strRtn = Regex.Replace(strRtn, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"-->", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"<!--.*", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"&(quot|#34);", "\"", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"&(iexcl|#161);", "\xa1", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"&(cent|#162);", "\xa2", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"&(pound|#163);", "\xa3", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"&(copy|#169);", "\xa9", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, @"&#(\d+);", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "xp_cmdshell", "", RegexOptions.IgnoreCase);
                    //删除与数据库相关的词
                    strRtn = Regex.Replace(strRtn, "insert", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "DELETE  from", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "count''", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "drop table", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "truncate", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "asc", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "'", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "alert", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "iframe", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "onmouseover", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "onload", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "prompt", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "body", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "xp_cmdshell", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "exec master", "", RegexOptions.IgnoreCase);
                    strRtn = Regex.Replace(strRtn, "net localgroup administrators", "", RegexOptions.IgnoreCase);
                    strRtn = strRtn.Replace("'", "''");
                }
            }
            catch
            {
                strRtn = string.Empty;
            }
            return strRtn;
        }