通用html属性过来 样式过滤的优化
This commit is contained in:
JacksonBruce
@@ -10,7 +10,7 @@
|
||||
<AppDesignerFolder>Properties</AppDesignerFolder>
|
||||
<RootNamespace>AntiSamy</RootNamespace>
|
||||
<AssemblyName>AntiSamy</AssemblyName>
|
||||
<TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
|
||||
<TargetFrameworkVersion>v2.0</TargetFrameworkVersion>
|
||||
<FileAlignment>512</FileAlignment>
|
||||
<StartupObject>
|
||||
</StartupObject>
|
||||
|
||||
Binary file not shown.
@@ -1,3 +0,0 @@
|
||||
<?xml version="1.0"?>
|
||||
<configuration>
|
||||
<startup><supportedRuntime version="v2.0.50727"/></startup></configuration>
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -20,3 +20,14 @@ F:\学习\编程类\Web安全技术学习\XSS-Filter-OwaspAntisamy\dotNet\AntiSa
|
||||
F:\学习\编程类\Web安全技术学习\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\obj\Debug\AntiSamy.dll
|
||||
F:\学习\编程类\Web安全技术学习\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\obj\Debug\AntiSamy.pdb
|
||||
F:\学习\编程类\Web安全技术学习\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\obj\Debug\AntiSamy.csprojResolveAssemblyReference.cache
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\bin\Debug\AntiSamy.dll.config
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\bin\Debug\AntiSamy.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\bin\Debug\AntiSamy.pdb
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\bin\Debug\Flute.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\bin\Debug\HtmlAgilityPack.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\bin\Debug\nunit.core.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\bin\Debug\nunit.core.interfaces.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\bin\Debug\nunit.framework.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\obj\Debug\AntiSamy.csprojResolveAssemblyReference.cache
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\obj\Debug\AntiSamy.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\AntiSamy\obj\Debug\AntiSamy.pdb
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -8,3 +8,14 @@ F:\学习\编程类\Web安全技术学习\XSS-Filter-OwaspAntisamy\dotNet\TestWe
|
||||
F:\学习\编程类\Web安全技术学习\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\obj\Debug\TestWebsite.csprojResolveAssemblyReference.cache
|
||||
F:\学习\编程类\Web安全技术学习\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\obj\Debug\TestWebsite.dll
|
||||
F:\学习\编程类\Web安全技术学习\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\obj\Debug\TestWebsite.pdb
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\bin\TestWebsite.dll.config
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\bin\TestWebsite.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\bin\TestWebsite.pdb
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\bin\AntiSamy.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\bin\Flute.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\bin\HtmlAgilityPack.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\bin\nunit.framework.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\bin\AntiSamy.pdb
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\obj\Debug\TestWebsite.csprojResolveAssemblyReference.cache
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\obj\Debug\TestWebsite.dll
|
||||
E:\GIT\web-security\XSS-Filter-OwaspAntisamy\dotNet\TestWebsite\obj\Debug\TestWebsite.pdb
|
||||
|
||||
Binary file not shown.
@@ -9,9 +9,9 @@ namespace StyleSheetsParser
|
||||
{
|
||||
public class CssAttribute:CssRule
|
||||
{
|
||||
public CssAttribute(string name, string value=null)
|
||||
public CssAttribute(string name, string value = null)
|
||||
: base(name)
|
||||
{ this.Value =Regex.Replace( value.Replace("\n", " ").Replace("\r", ""),@"\s{2}"," "); }
|
||||
{ if (value != null) { this.Value = Regex.Replace(value.Trim().Replace("\n", " ").Replace("\r", ""), @"\s{2}", " "); } }
|
||||
public string Value { get;set; }
|
||||
protected override string GetCssString()
|
||||
{
|
||||
|
||||
@@ -191,6 +191,7 @@ namespace StyleSheetsParser
|
||||
{
|
||||
attrName = sb.ToString();
|
||||
sb.Clear();
|
||||
RemoveSpace();
|
||||
}
|
||||
}
|
||||
else if (ch == ';' || ch == '}')
|
||||
|
||||
Binary file not shown.
Binary file not shown.
@@ -12,3 +12,8 @@ F:\学习\编程类\Web安全技术学习\XSSAttachs\StyleSheetsParser\bin\Debug
|
||||
F:\学习\编程类\Web安全技术学习\XSSAttachs\StyleSheetsParser\obj\Debug\StyleSheetsParser.dll
|
||||
F:\学习\编程类\Web安全技术学习\XSSAttachs\StyleSheetsParser\obj\Debug\StyleSheetsParser.pdb
|
||||
F:\学习\编程类\Web安全技术学习\XSSAttachs\StyleSheetsParser\obj\Debug\StyleSheetsParser.csprojResolveAssemblyReference.cache
|
||||
E:\GIT\web-security\XSSAttachs\StyleSheetsParser\bin\Debug\StyleSheetsParser.dll
|
||||
E:\GIT\web-security\XSSAttachs\StyleSheetsParser\bin\Debug\StyleSheetsParser.pdb
|
||||
E:\GIT\web-security\XSSAttachs\StyleSheetsParser\obj\Debug\StyleSheetsParser.csprojResolveAssemblyReference.cache
|
||||
E:\GIT\web-security\XSSAttachs\StyleSheetsParser\obj\Debug\StyleSheetsParser.dll
|
||||
E:\GIT\web-security\XSSAttachs\StyleSheetsParser\obj\Debug\StyleSheetsParser.pdb
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -9,7 +9,11 @@
|
||||
<style>
|
||||
.column{position:fixed;top:0;bottom:50%;left:0;right:0;overflow:auto;display:block;border:none;padding:0;white-space:nowrap;}
|
||||
.column.right{border-top:solid 1px #ccc;top:50%;bottom:30px;overflow:hidden;}
|
||||
.column > textarea{display:block;width:100%;height:100%;border:none;overflow:auto;padding:0;}
|
||||
.richtext {position:absolute;top:35px;bottom:0;left:0;right:0;}
|
||||
.richtext > textarea{display:block;width:100%;height:100%;border:none;overflow:auto;padding:0;}
|
||||
.policy {line-height:35px;position:relative;}
|
||||
.policy > .txt {position:absolute;top:0;left:100px;bottom:0;right:0;}
|
||||
#txtPolicy {border:none;border-bottom:solid 1px #ccc;width:100%; }
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
@@ -17,10 +21,9 @@
|
||||
|
||||
<div class="column"><%= html==null?null:HttpUtility.HtmlEncode(html).Replace("\n","<br />") %></div>
|
||||
<div class="column right">
|
||||
<asp:TextBox TextMode="MultiLine" id="txt" runat="server">
|
||||
|
||||
|
||||
</asp:TextBox></div>
|
||||
<div class="policy"><label for="txtPolicy">过滤策略:</label><div class="txt"><asp:TextBox ID="txtPolicy" runat="server"></asp:TextBox></div> </div>
|
||||
<div class="richtext"><asp:TextBox TextMode="MultiLine" id="txt" runat="server"></asp:TextBox></div>
|
||||
</div>
|
||||
<div style="position:fixed;bottom:0;left:0;right:0;height:30px;text-align:center;">
|
||||
<asp:LinkButton ID="btn" runat="server" OnClick="btn_Click">submit</asp:LinkButton>
|
||||
</div>
|
||||
|
||||
@@ -20,14 +20,18 @@ namespace TestXSSAttacksFilterSite
|
||||
public StringBuilder html;
|
||||
protected void Page_Load(object sender, EventArgs e)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(txtPolicy.Text)) { txtPolicy.Text = "/resources/testPolicy.config"; }
|
||||
|
||||
}
|
||||
string _policyFilePath;
|
||||
string PolicyFilePath { get { if (_policyFilePath == null)_policyFilePath = Server.MapPath(txtPolicy.Text.Trim()); return _policyFilePath; } }
|
||||
void FilterAttacks(string str, Func<string, bool> fn=null,[CallerMemberName] string propertyName = null)
|
||||
{
|
||||
var richtext = new RichText(str, PolicyFilePath);
|
||||
html.Append("\n== in == "+propertyName+" ==================================================\n原文:\n" + str + "\n");
|
||||
//html.Append("====================================================================================================");
|
||||
html.Append("JavaScript:\n" + ((RichText)str).JavascriptEncode);
|
||||
html.Append("\n过滤:\n" + ((RichText)str));
|
||||
//html.Append("JavaScript:\n" + richtext.JavascriptEncode);
|
||||
html.Append("\n过滤:\n" + richtext.ToString());
|
||||
html.Append((fn == null ? null : "\n状态:" + (fn(str) ? "成功!" : "失败")));
|
||||
}
|
||||
protected void btn_Click(object sender, EventArgs e)
|
||||
|
||||
@@ -21,6 +21,15 @@ namespace TestXSSAttacksFilterSite {
|
||||
/// </remarks>
|
||||
protected global::System.Web.UI.HtmlControls.HtmlForm form1;
|
||||
|
||||
/// <summary>
|
||||
/// txtPolicy 控件。
|
||||
/// </summary>
|
||||
/// <remarks>
|
||||
/// 自动生成的字段。
|
||||
/// 若要进行修改,请将字段声明从设计器文件移到代码隐藏文件。
|
||||
/// </remarks>
|
||||
protected global::System.Web.UI.WebControls.TextBox txtPolicy;
|
||||
|
||||
/// <summary>
|
||||
/// txt 控件。
|
||||
/// </summary>
|
||||
|
||||
@@ -20,10 +20,12 @@ namespace TestXSSAttacksFilterSite
|
||||
get
|
||||
{
|
||||
if (_filter==null)
|
||||
_filter = new HtmlFilter(Server.MapPath("/resources/testPolicy.config"));
|
||||
_filter = new HtmlFilter(PolicyFilePath);
|
||||
return _filter;
|
||||
}
|
||||
}
|
||||
string _policyFilePath;
|
||||
string PolicyFilePath { get { if (_policyFilePath == null)_policyFilePath = Server.MapPath("/resources/testPolicy.config"); return _policyFilePath; } }
|
||||
protected string txt;
|
||||
protected void Page_Load(object sender, EventArgs e)
|
||||
{
|
||||
@@ -42,14 +44,14 @@ namespace TestXSSAttacksFilterSite
|
||||
}
|
||||
void FilterAttacks(string str, Func<string, bool> fn,[CallerMemberName] string propertyName = null)
|
||||
{
|
||||
txt += "\n==== in " + propertyName + " ==================================================\n原文:\n" + ((RichText)str).HtmlEncode + "\n";
|
||||
var richtext = new RichText(str, PolicyFilePath);
|
||||
txt += "\n==== in " + propertyName + " ==================================================\n原文:\n" + richtext.HtmlEncode + "\n";
|
||||
//这里是启用默认的安全策略
|
||||
str = "过滤\n" + HttpUtility.HtmlEncode((RichText)str);
|
||||
str = "过滤\n" + HttpUtility.HtmlEncode(richtext.ToString());
|
||||
|
||||
////这里是使用指定的安全策略
|
||||
//str = "过滤\n" + HttpUtility.HtmlEncode(Filter.Filters(str));
|
||||
|
||||
|
||||
txt += str + "\n状态:" + (fn(str) ? "成功!" : "失败");
|
||||
}
|
||||
void testScriptAttacks()
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -29,3 +29,14 @@ F:\学习\编程类\Web安全技术学习\XSSAttachs\TestXSSAttacksFilterSite\ob
|
||||
F:\学习\编程类\Web安全技术学习\XSSAttachs\TestXSSAttacksFilterSite\obj\Debug\TestXSSAttacksFilterSite.dll
|
||||
F:\学习\编程类\Web安全技术学习\XSSAttachs\TestXSSAttacksFilterSite\obj\Debug\TestXSSAttacksFilterSite.pdb
|
||||
F:\学习\编程类\Web安全技术学习\XSSAttachs\TestXSSAttacksFilterSite\bin\TestXSSAttacksFilterSite.dll.config
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\bin\TestXSSAttacksFilterSite.dll.config
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\bin\TestXSSAttacksFilterSite.dll
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\bin\TestXSSAttacksFilterSite.pdb
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\bin\StyleSheetsParser.dll
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\bin\XSSAttacksFilter.dll
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\bin\HtmlAgilityPack.dll
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\bin\StyleSheetsParser.pdb
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\bin\XSSAttacksFilter.pdb
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\obj\Debug\TestXSSAttacksFilterSite.csprojResolveAssemblyReference.cache
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\obj\Debug\TestXSSAttacksFilterSite.dll
|
||||
E:\GIT\web-security\XSSAttachs\TestXSSAttacksFilterSite\obj\Debug\TestXSSAttacksFilterSite.pdb
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -141,8 +141,8 @@ namespace XSSAttacksFilter
|
||||
/// <returns></returns>
|
||||
public static bool ValidateAttribute(PolicyAttribute attr, string value)
|
||||
{
|
||||
if (attr == null) return false;
|
||||
value = HtmlEntity.DeEntitize(value);
|
||||
if (attr == null || string.IsNullOrWhiteSpace(value)) return false;
|
||||
value = HtmlEntity.DeEntitize(value.Trim());
|
||||
////验证是否在限定的值之内
|
||||
if (attr.AllowedValues != null)
|
||||
{
|
||||
|
||||
@@ -37,7 +37,7 @@ namespace XSSAttacksFilter
|
||||
var a = allowedAttributes.ContainsKey(name) ? allowedAttributes[name] : null;
|
||||
if (a == null)
|
||||
{
|
||||
a = Policy.GlobalHtmlAttribute(name);
|
||||
a = Policy.CommonHtmlAttribute(name);// Policy.GlobalHtmlAttribute(name);
|
||||
}
|
||||
return a;
|
||||
}
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -20,3 +20,10 @@ F:\学习\编程类\Web安全技术学习\XSSAttachs\XSSAttacksFilters\bin\Debug
|
||||
F:\学习\编程类\Web安全技术学习\XSSAttachs\XSSAttacksFilters\obj\Debug\XSSAttacksFilters.csprojResolveAssemblyReference.cache
|
||||
F:\学习\编程类\Web安全技术学习\XSSAttachs\XSSAttacksFilters\obj\Debug\XSSAttacksFilter.dll
|
||||
F:\学习\编程类\Web安全技术学习\XSSAttachs\XSSAttacksFilters\obj\Debug\XSSAttacksFilter.pdb
|
||||
E:\GIT\web-security\XSSAttachs\XSSAttacksFilters\bin\Debug\XSSAttacksFilter.dll
|
||||
E:\GIT\web-security\XSSAttachs\XSSAttacksFilters\bin\Debug\XSSAttacksFilter.pdb
|
||||
E:\GIT\web-security\XSSAttachs\XSSAttacksFilters\bin\Debug\StyleSheetsParser.dll
|
||||
E:\GIT\web-security\XSSAttachs\XSSAttacksFilters\bin\Debug\StyleSheetsParser.pdb
|
||||
E:\GIT\web-security\XSSAttachs\XSSAttacksFilters\obj\Debug\XSSAttacksFilters.csprojResolveAssemblyReference.cache
|
||||
E:\GIT\web-security\XSSAttachs\XSSAttacksFilters\obj\Debug\XSSAttacksFilter.dll
|
||||
E:\GIT\web-security\XSSAttachs\XSSAttacksFilters\obj\Debug\XSSAttacksFilter.pdb
|
||||
|
||||
Binary file not shown.
Reference in New Issue
Block a user