ASP.NET潜在危险的JavaScript申请正则表达式 [英] ASP.NET potentially Dangerous Request Javascript Regex
问题描述
什么是定期EX pression 中,微软的.NET框架用于执行标准的验证,其导致的Htt prequestValidationException当HTML或其他潜在的不安全内容发布从客户端检测到有潜在危险的Request.Form值。
What is the regular expression that Microsoft's .NET Framework uses to perform the standard validation that results in HttpRequestValidationException "A potentially dangerous Request.Form value was detected from the client" when HTML or other potentially unsafe content is posted.
我想有一个精确副本它转换为JavaScript,因此用户可以及早报警。
I'd like to have an exact copy of it converted to JavaScript so the user can be alerted early.
我现在经常EX pression。(/(安培;#)|< [^<>] +> /)接近,但不一样的.NET的
My current regular expression (/(&#)|<[^<>]+>/) is close, but not the same as .NET's.
我知道这可能是不同的.NET版本的不同,所以我特别想知道:
I'm aware this might be different for different .NET versions so specifically I'd like to know:
- 定期EX pression用于.NET 2
- 定期EX pression为.NET 4
推荐答案
您可以使用一些工具decompilig,看看自己有没有经常EX pression可言。它调用静态方法 CrossSiteScriptingValidation.IsDangerousString 。
You can use some decompilig tool and see for yourself that there no regular expression at all. It calls static method CrossSiteScriptingValidation.IsDangerousString.
但也许你可以使用微软AntiXSS库才达到相同。反正这里是方法:
But maybe you can use the Microsoft AntiXSS library to achive the same. Anyway here is the method:
internal static bool IsDangerousString(string s, out int matchIndex)
{
matchIndex = 0;
int num1 = 0;
int num2 = s.IndexOfAny(CrossSiteScriptingValidation.startingChars, num1);
if (num2 < 0)
{
return false;
}
if (num2 == s.Length - 1)
{
return false;
}
matchIndex = num2;
char chars = s.get_Chars(num2);
if ((chars == 38 || chars == 60) && (CrossSiteScriptingValidation.IsAtoZ(s.get_Chars(num2 + 1)) || s.get_Chars(num2 + 1) == 33 || s.get_Chars(num2 + 1) == 47 || s.get_Chars(num2 + 1) == 63))
{
return true;
}
else
{
if (s.get_Chars(num2 + 1) == 35)
{
return true;
}
}
num1 = num2 + 1;
}
这篇关于ASP.NET潜在危险的JavaScript申请正则表达式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
