asp.net防SQL/JS注入攻击:过滤标记
/// <summary>
/// 过滤标记
/// </summary>
///
<param name="NoHTML">包括HTML,脚本,数据库关键字,特殊字符的源码 </param>
///
<returns>已经去除标记后的文字</returns>
public static string NoHTML(string
Htmlstring)
{
if (Htmlstring == null)
{
return
"";
}
else
{
//删除脚本
Htmlstring = Regex.Replace(Htmlstring,
@"<script[^>]*?>.*?</script>", "",
RegexOptions.IgnoreCase);
//删除HTML
Htmlstring = Regex.Replace(Htmlstring,
@"<(.[^>]*)>", "", RegexOptions.IgnoreCase);
Htmlstring =
Regex.Replace(Htmlstring, @"([/r/n])[/s]+", "",
RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"-->",
"", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring,
@"<!--.*", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "/"",
RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring,
@"&(amp|#38);", "&", RegexOptions.IgnoreCase);
Htmlstring =
Regex.Replace(Htmlstring, @"&(lt|#60);", "<",
RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring,
@"&(gt|#62);", ">", RegexOptions.IgnoreCase);
Htmlstring =
Regex.Replace(Htmlstring, @"&(nbsp|#160);", " ",
RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring,
@"&(iexcl|#161);", "/xa1", RegexOptions.IgnoreCase);
Htmlstring =
Regex.Replace(Htmlstring, @"&(cent|#162);", "/xa2",
RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring,
@"&(pound|#163);", "/xa3", RegexOptions.IgnoreCase);
Htmlstring =
Regex.Replace(Htmlstring, @"&(copy|#169);", "/xa9",
RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring,
@"&#(/d+);", "", RegexOptions.IgnoreCase);
Htmlstring =
Regex.Replace(Htmlstring, "xp_cmdshell", "",
RegexOptions.IgnoreCase);
//删除与数据库相关的词
Htmlstring = Regex.Replace(Htmlstring, "select", "",
RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "insert",
"", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "delete
from", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring,
"count‘‘", "", RegexOptions.IgnoreCase);
Htmlstring =
Regex.Replace(Htmlstring, "drop table", "",
RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "truncate",
"", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "asc",
"", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "mid",
"", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "char",
"", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring,
"xp_cmdshell", "", RegexOptions.IgnoreCase);
Htmlstring =
Regex.Replace(Htmlstring, "exec master", "",
RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "net
localgroup administrators", "", RegexOptions.IgnoreCase);
Htmlstring =
Regex.Replace(Htmlstring, "and", "", RegexOptions.IgnoreCase);
return Htmlstring ;
}
}