using System;
using System.Text;
using System.Web;
using System.Text.RegularExpressions;
// 在Action前加 [ValidateInput(false)] 代替在VIew中<pages validaterequest="false"/>
// 根据微软提供的建议,慎重允许下列HTML标签,因为这些HTML标签都是有可能导致跨站脚本攻击的。
// <applet> <body> <embed> <frame> <script><frameset> <html> <iframe> <object>
// <meta> <style> <layer><link> <ilayer> <img>
// 可能这里最让人不能理解的是<img>。但是,看过下列代码后,就应该明白其危险性了x。
// <img src="javascript:alert('hello');" />
namespace WebUI.Controllers.Utils
{
public static class EncodeCKEditorValue
{
//编码
public static string EncodeStr(string str)
{
//将输入字符串编码,策略:" 默认禁止,显式允许”
str = Regex.Replace(str, @"<html[^>]*?>.*?</html>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<html[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<body[^>]*?>.*?</body>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<body[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<meta[^>]*?>.*?</meta>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<meta[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<frame[^>]*?>.*?</frame>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<frame[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<frameset[^>]*?>.*?</frameset>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<frameset[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<iframe[^>]*?>.*?</iframe>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<iframe[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<layer[^>]*?>.*?</layer>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<layer[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<ilayer[^>]*?>.*?</ilayer>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<ilayer[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<applet[^>]*?>.*?</applet>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<applet[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<script[^>]*?>.*?</script>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<script[^>]*?/>", "",
RegexOptions.IgnoreCase);
//以下慎重允许
//flash
str = Regex.Replace(str, @"<embed[^>]*?>.*?</embed>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<embed[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<object[^>]*?>.*?</object>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<object[^>]*?/>", "",
RegexOptions.IgnoreCase);
//link style
str = Regex.Replace(str, @"<link[^>]*?>.*?</link>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<link[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<style[^>]*?>.*?</style>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<style[^>]*?/>", "",
RegexOptions.IgnoreCase);
//img
//str = Regex.Replace(str, @"<img[^>]*?>.*?</img>", "",
//RegexOptions.IgnoreCase);
//str = Regex.Replace(str, @"<img[^>]*?/>", "",
//RegexOptions.IgnoreCase);
//hyperLink
//str = Regex.Replace(str, @"<a[^>]*?>.*?</a>", "",
//RegexOptions.IgnoreCase);
//str = Regex.Replace(str, @"<a[^>]*?/>", "",
//RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<form[^>]*?>.*?</form>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<form[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<input[^>]*?>.*?</input>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<input[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<textarea[^>]*?>.*?</textarea>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<textarea[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<select[^>]*?>.*?</select>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<select[^>]*?/>", "",
RegexOptions.IgnoreCase);
return HttpUtility.HtmlEncode(str);
}
//解码
public static string DecodeStr(string encodeStr)
{
return HttpUtility.HtmlDecode(encodeStr);
}
}
}
C#编码并过滤CKeditor不安全的HTML标签
最新推荐文章于 2023-03-24 22:47:09 发布