首页>网页设计>asp技术>ASP防XSS注入函数
回复
« 返回列表
灯火互联
灯火互联
管理员
管理员
  • 注册日期2011-07-27
  • 发帖数41778
  • QQ
  • 火币41290枚
  • 粉丝1086
  • 关注100
写私信 打招呼
  • 终身成就奖
  • 最爱沙发
  • 忠实会员
  • 灌水天才奖
  • 贴图大师奖
  • 原创先锋奖
  • 特殊贡献奖
  • 宣传大使奖
  • 优秀斑竹奖
  • 社区明星
阅读:3932回复:0

ASP防XSS注入函数

楼主#
更多 发布于:2012-01-18 13:21
'防XSS注入函数 更新于2009-04-21 by evio
 '与checkstr()相比, checkxss更加安全
 '*************************************
 Function Checkxss(byVal ChkStr)
     Dim Str
     Str = ChkStr
     If IsNull(Str) Then
         CheckStr = ""
         Exit Function
     End If
     Str = Replace(Str, ";", ";")
     Str = Replace(Str, "'", "´")
     Str = Replace(Str, """", """)
         Str = Replace(Str, "<", "<")
         Str = Replace(Str, ">", ">")
         Str = Replace(Str, "/", "/")
         Str = Replace(Str, "*", "*")
     Dim re
     Set re = New RegExp
     re.IgnoreCase = True
     re.Global = True
     re.Pattern = "(w)(here)"
     Str = re.Replace(Str, "$1here")
     re.Pattern = "(s)(elect)"
     Str = re.Replace(Str, "$1elect")
     re.Pattern = "(i)(nsert)"
     Str = re.Replace(Str, "$1nsert")
     re.Pattern = "(c)(reate)"
     Str = re.Replace(Str, "$1reate")
     re.Pattern = "(d)(rop)"
     Str = re.Replace(Str, "$1rop")
     re.Pattern = "(a)(lter)"
     Str = re.Replace(Str, "$1lter")
     re.Pattern = "(d)(elete)"
     Str = re.Replace(Str, "$1elete")
     re.Pattern = "(u)(pdate)"
     Str = re.Replace(Str, "$1pdate")
     re.Pattern = "(s)(or)"
     Str = re.Replace(Str, "$1or")
         re.Pattern = "( )"
     Str = re.Replace(Str, "$1or")
         '----------------------------------
         re.Pattern = "(java)(script)"
     Str = re.Replace(Str, "$1script")
         re.Pattern = "(j)(script)"
     Str = re.Replace(Str, "$1script")
         re.Pattern = "(vb)(script)"
     Str = re.Replace(Str, "$1script")
         '----------------------------------
         If Instr(Str, "expression") > 0 Then
                 Str = Replace(Str, "expression", "e&shy;xpression", 1, -1, 0) '防止xss注入
         End If
     Set re = Nothing
     Checkxss = Str
 End Function
  
 测试代码:
  
 <script> alert(/xss0/) </script>
 <img src= "javascript:alert(/xss1/) " width=100>
 <img src= "javascript:alert(/xss2/) " width=100>
 <img src= "javas cript:alert(/xss3/) " width=100>
 <img src= "# " onerror=alert(/xss4/)>
 <img src= "# "/**/onerror=alert(/xss5/) width=100>
 <img src= "# " style= "Xss:expression(alert(/xss6/)); ">
  
 <img src=";#x6a;#x61;#x76;#x61;#x73;#x63;#x72;#x69;#x70;#x74;#x3a;#x61;#x6c;#x65;#x72;#x74;#x28;#x27;#x58;#x53;#x53;#x27;#x29;#x3b">
  
 <SCRIPT LANGUAGE="JavaScript">
 eval("x6ax61x76x61x73x63x72x69x70x74x3ax61x6cx65x72x74x28x22x58x53x53x22x29")
 </SCRIPT>
喜欢0 评分0
淘宝天猫隐藏优惠券地址
回复
游客

Powered by atcpu.com ©2008-2021

灯火互联网 蜀ICP备13028548号

手机认证个人空间个人相册音乐电台音乐畅听网站终身会员手机吉凶在线YY百宝箱
返回顶部