using System; using System.Collections.Generic; using System.Diagnostics; using System.Linq; using System.Runtime.CompilerServices; using System.Text; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; using XSSAttacksFilter; namespace TestXSSAttacksFilterSite { public partial class TestPolicy : System.Web.UI.Page { HtmlFilter _filter; HtmlFilter Filter { get { if (_filter==null) _filter = new HtmlFilter(PolicyFilePath); return _filter; } } string _policyFilePath; string PolicyFilePath { get { if (_policyFilePath == null)_policyFilePath = Server.MapPath("/resources/testPolicy.config"); return _policyFilePath; } } protected string txt; protected void Page_Load(object sender, EventArgs e) { // Stopwatch stopwatch = new Stopwatch(); //FilterAttacks("

", str => str.IndexOf("position") == -1); stopwatch.Start(); testCssAttacks(); testHrefAttacks(); testScriptAttacks(); testImgAttacks(); //FilterAttacks("sdasdasd asdf", str => str.IndexOf(" fn,[CallerMemberName] string propertyName = null) { var richtext = new RichText(str, PolicyFilePath); txt += "\n==== in " + propertyName + " ==================================================\n原文:\n" + richtext.HtmlEncode + "\n"; //这里是启用默认的安全策略 str = "过滤\n" + HttpUtility.HtmlEncode(richtext.ToString()); ////这里是使用指定的安全策略 //str = "过滤\n" + HttpUtility.HtmlEncode(Filter.Filters(str)); txt += str + "\n状态：" + (fn(str) ? "成功！" : "失败"); } void testScriptAttacks() { FilterAttacks("</script>", str => str.IndexOf("script") == -1); FilterAttacks("test", str => str.IndexOf("script") == -1); FilterAttacks("<<<><", str => str.IndexOf("", str => str.IndexOf("onload") == -1); FilterAttacks("", str => str.IndexOf("alert") == -1); FilterAttacks("", str => str.IndexOf("iframe") == -1); FilterAttacks("", str => str.IndexOf("javascript") == -1); FilterAttacks("", str => str.IndexOf("background") == -1); FilterAttacks("

", str => str.IndexOf("background") == -1); FilterAttacks("

", str => str.IndexOf("javascript") == -1); FilterAttacks("

", str => str.IndexOf("alert") == -1); FilterAttacks("", str => str.IndexOf("alert") == -1); FilterAttacks("", str => str.IndexOf("ript:alert") == -1); FilterAttacks("", str => str.IndexOf("javascript") == -1); FilterAttacks("", str => str.IndexOf("", str => str.IndexOf("", str => str.IndexOf("", str => str.IndexOf("", str => str.IndexOf("\" SRC=\"http://ha.ckers.org/xss.js\">", str => str.IndexOf("\" '' SRC=\"http://ha.ckers.org/xss.js\">", str => str.IndexOf("` SRC=\"http://ha.ckers.org/xss.js\">", str => str.IndexOf("'>\" SRC=\"http://ha.ckers.org/xss.js\">", str => str.IndexOf("document.write(\"PT SRC=\"http://ha.ckers.org/xss.js\">", str => str.IndexOf("script") == -1); FilterAttacks("