asp.net mvc 过滤XSS跨站脚本攻击

web.config增加httpModules节点
<httpModules>
      <add name="HttpAccessInterceptModule" type="Org.Core.Commons.HttpAccessInterceptModule, Org.Core.Commons"/>
</httpModules>

using System;
using System.Collections.Generic;
using System.Configuration;
using System.Linq;
using System.Text.RegularExpressions;
using System.Web;

namespace Org.Core.Commons
{
   
    /// <summary>
    /// http访问拦截器模块
    /// 1.过滤危险关键词
    /// 2.增加安全Header
    /// </summary>
    public class HttpAccessInterceptModule : IHttpModule
    {
   
        private static List<string> _RegexWords;
        static HttpAccessInterceptModule()
        {
   
            _RegexWords = new List<string>()
            {
   
                @"<[^>]+>'", 
                @"</[^>]+>'",
                @"<[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt|window|location|eval|console|debugger|new|Function|var|let)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)"
            };
            string[] keyWords = {
    };
            //{"'", "alert", "script","case","catch","const","continue","debugge","delete","export*","final","finally","for","function","goto","if","implements","import*","return","switch","synchronized","throw","throws","transient","try","break"}
            //new string[] { "select", "insert", "update", "delete", "drop", "truncate" };

            _RegexWords.AddRange(keyWords.Select(o =