客户端验证，其作用同.NET页识别/ XSS prevention？ [英] Client validation that acts the same as .NET page validator/XSS prevention?

问题描述

我已经得到了人们提交反馈/支持请​​求一个免费的文本形式。有时候人们会过去，它包含的东西，触发.NET页面验证器作为一个XSS试图支持票或错误日志。这需要用户的错误页面，如果该网站堵塞他们的意见。

I've got a free text form for people to submit feedback/support requests. Occasionally people will past in a support ticket or error log that contains something that triggers the .NET page validator as an XSS attempt. This takes the user to the error page as if the site choked on their input.

preferably，我宁愿页面做一些客户端验证时，preSS保存按钮之前，它的实际提交。

Preferably, I'd rather have the page do some client-side validation when they press the save button before it's actually submitted.

有一个正则表达式或某种方法我可以挂接到会做在客户端相同的基本检查，或将我只需要编写一个正则表达式，不允许某些字符都在一起，就像＆LT; 和＆GT;

Is there a regex or some method I can hook into that would do the same basic check on the client side, or will I just have to write a regex that disallows certain characters all together like < and >?

推荐答案

.NET 4.0的内部CrossSiteScriptingValidation使用IsDangerousString方法来满足这些条件：

.NET 4.0's internal CrossSiteScriptingValidation uses the IsDangerousString method to match on these conditions:

如果对＆LT唯一的发生;或放大器;是在后数据的末尾，那么它的安全。 如果＆LT;之后是A-Z，A-Z，/，？，或者！那么它是不安全的。 如果和放大器;后跟一个＃（井号！）那么它的不安全。

If the only occurrence of < or & is at the end of the post data, then it's safe. If < is followed by a-z, A-Z, /, ?, or ! then it's unsafe. If & is followed by a #(octothorpe!) then it's unsafe.

这正则表达式在JavaScript应该工作：

This regex in javascript should work:

/^(?!(.|\n)*<[a-z!\/?])(?!(.|\n)*&#)(.|\n)*$/i

这篇关于客户端验证，其作用同.NET页识别/ XSS prevention？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！