C# NET中具有特定src属性值的IFrame的反XSS清理
我希望完成以下工作:使用AntiXSS或AntiSamy库清理WYSIWIG用户输入,但是,允许特定域中具有“src”属性的iframe标记。有没有办法做到这一点 我在考虑用正则表达式解析它,然后用“谢谢。我还想为我的一个WYSISWIG编辑器做一些HTML清理 一种方法是使用C# NET中具有特定src属性值的IFrame的反XSS清理,c#,.net,xss,C#,.net,Xss,我希望完成以下工作:使用AntiXSS或AntiSamy库清理WYSIWIG用户输入,但是,允许特定域中具有“src”属性的iframe标记。有没有办法做到这一点 我在考虑用正则表达式解析它,然后用“=0;i--) { HtmlAttribute currentAttribute=node.Attributes[i]; string[]allowedAttributes=白名单[node.Name]; 如果(allowedAttributes!=null) { 如果(!allowedAttrib
Microsoft反跨站点脚本库
另一种方法是为HTML创建一个白名单解析器
以下是我与HTML Agility Pack
一起使用的内容,您可以使用标签和允许的属性配置白名单:
公共静态类HtmlSanitizer
{
私有静态只读IDictionary白名单;
私有静态列表DeletableNodesXpath=new List()
static HtmlSanitizer()
{
白名单=新字典{
{“a”,新的[]{“href”},
{“强”,null},
{“em”,null},
{“blockquote”,null},
{“b”,null},
{“p”,null},
{“ul”,null},
{“ol”,null},
{“li”,null},
{“div”,新[]{“align”},
{“strike”,null},
{“u”,null},
{“sub”,null},
{“sup”,null},
{“table”,null},
{“tr”,null},
{“td”,null},
{“th”,null}
};
}
公共静态字符串清理(字符串输入)
{
if(input.Trim().长度<1)
返回字符串。空;
var htmlDocument=新的htmlDocument();
htmlDocument.LoadHtml(输入);
SanitizeNode(htmlDocument.DocumentNode);
字符串xPath=HtmlSanitizer.CreateXPath();
返回StripHtml(htmlDocument.DocumentNode.WriteTo().Trim(),xPath);
}
私有静态void SanitizeChildren(HtmlNode parentNode)
{
对于(int i=parentNode.ChildNodes.Count-1;i>=0;i--)
{
SanitizeNode(parentNode.ChildNodes[i]);
}
}
私有静态void SanitizeNode(HtmlNode节点)
{
if(node.NodeType==HtmlNodeType.Element)
{
如果(!Whitelist.ContainsKey(node.Name))
{
如果(!DeletableNodesXpath.Contains(node.Name))
{
//DeletableNodesXpath.Add(node.Name.Replace(“?”,”);
node.Name=“removeableNode”;
DeletableNodesXpath.Add(node.Name);
}
if(node.HasChildNodes)
{
卫生技术儿童(节点);
}
返回;
}
if(node.HasAttributes)
{
对于(int i=node.Attributes.Count-1;i>=0;i--)
{
HtmlAttribute currentAttribute=node.Attributes[i];
string[]allowedAttributes=白名单[node.Name];
如果(allowedAttributes!=null)
{
如果(!allowedAttributes.Contains(currentAttribute.Name))
{
node.Attributes.Remove(currentAttribute);
}
}
其他的
{
node.Attributes.Remove(currentAttribute);
}
}
}
}
if(node.HasChildNodes)
{
卫生技术儿童(节点);
}
}
私有静态字符串StripHtml(字符串html、字符串xPath)
{
HtmlDocument htmlDoc=新HtmlDocument();
htmlDoc.LoadHtml(html);
如果(xPath.Length>0)
{
HtmlNodeCollection invalidNodes=htmlDoc.DocumentNode.SelectNodes(@xPath);
foreach(invalidNodes中的HtmlNode节点)
{
node.ParentNode.RemoveChild(node,true);
}
}
返回htmlDoc.DocumentNode.WriteContento();
}
私有静态字符串CreateXPath()
{
string _xPath=string.Empty;
for(int i=0;i
这是解决白名单问题的一个很好的解决方案,我必须对白名单上的某些元素(如iframe等)进行src解析
static HtmlSanitizer()
{
Whitelist = new Dictionary<string, string[]> {
{ "a", new[] { "href" } },
{ "strong", null },
{ "em", null },
{ "blockquote", null },
{ "b", null},
{ "p", null},
{ "ul", null},
{ "ol", null},
{ "li", null},
{ "div", new[] { "align" } },
{ "strike", null},
{ "u", null},
{ "sub", null},
{ "sup", null},
{ "table", null },
{ "tr", null },
{ "td", null },
{ "th", null }
};
}
public static string Sanitize(string input)
{
if (input.Trim().Length < 1)
return string.Empty;
var htmlDocument = new HtmlDocument();
htmlDocument.LoadHtml(input);
SanitizeNode(htmlDocument.DocumentNode);
string xPath = HtmlSanitizer.CreateXPath();
return StripHtml(htmlDocument.DocumentNode.WriteTo().Trim(), xPath);
}
private static void SanitizeChildren(HtmlNode parentNode)
{
for (int i = parentNode.ChildNodes.Count - 1; i >= 0; i--)
{
SanitizeNode(parentNode.ChildNodes[i]);
}
}
private static void SanitizeNode(HtmlNode node)
{
if (node.NodeType == HtmlNodeType.Element)
{
if (!Whitelist.ContainsKey(node.Name))
{
if (!DeletableNodesXpath.Contains(node.Name))
{
//DeletableNodesXpath.Add(node.Name.Replace("?",""));
node.Name = "removeableNode";
DeletableNodesXpath.Add(node.Name);
}
if (node.HasChildNodes)
{
SanitizeChildren(node);
}
return;
}
if (node.HasAttributes)
{
for (int i = node.Attributes.Count - 1; i >= 0; i--)
{
HtmlAttribute currentAttribute = node.Attributes[i];
string[] allowedAttributes = Whitelist[node.Name];
if (allowedAttributes != null)
{
if (!allowedAttributes.Contains(currentAttribute.Name))
{
node.Attributes.Remove(currentAttribute);
}
}
else
{
node.Attributes.Remove(currentAttribute);
}
}
}
}
if (node.HasChildNodes)
{
SanitizeChildren(node);
}
}
private static string StripHtml(string html, string xPath)
{
HtmlDocument htmlDoc = new HtmlDocument();
htmlDoc.LoadHtml(html);
if (xPath.Length > 0)
{
HtmlNodeCollection invalidNodes = htmlDoc.DocumentNode.SelectNodes(@xPath);
foreach (HtmlNode node in invalidNodes)
{
node.ParentNode.RemoveChild(node, true);
}
}
return htmlDoc.DocumentNode.WriteContentTo(); ;
}
private static string CreateXPath()
{
string _xPath = string.Empty;
for (int i = 0; i < DeletableNodesXpath.Count; i++)
{
if (i != DeletableNodesXpath.Count - 1)
{
_xPath += string.Format("//{0}|", DeletableNodesXpath[i].ToString());
}
else _xPath += string.Format("//{0}", DeletableNodesXpath[i].ToString());
}
return _xPath;
}
}