pjblog仿xss函数
[ 2009-09-19 08:20:48 | 作者: admin ]
p.s. 函数去掉脚本和标签替换部分可以可以应与防注入
测试代码
'*************************************
'防XSS注入函数 更新于2009-04-21 by evio
'与checkstr()相比, checkxss更加安全
'*************************************
Function Checkxss(byVal ChkStr)
Dim Str
Str = ChkStr
If IsNull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str, "&", "&")
Str = Replace(Str, "'", "´")
Str = Replace(Str, """", """)
Str = Replace(Str, "<", "<")
Str = Replace(Str, ">", ">")
Str = Replace(Str, "/", "/")
Str = Replace(Str, "*", "*")
Dim re
Set re = New RegExp
re.IgnoreCase = True
re.Global = True
re.Pattern = "(w)(here)"
Str = re.Replace(Str, "$1here")
re.Pattern = "(s)(elect)"
Str = re.Replace(Str, "$1elect")
re.Pattern = "(i)(nsert)"
Str = re.Replace(Str, "$1nsert")
re.Pattern = "(c)(reate)"
Str = re.Replace(Str, "$1reate")
re.Pattern = "(d)(rop)"
Str = re.Replace(Str, "$1rop")
re.Pattern = "(a)(lter)"
Str = re.Replace(Str, "$1lter")
re.Pattern = "(d)(elete)"
Str = re.Replace(Str, "$1elete")
re.Pattern = "(u)(pdate)"
Str = re.Replace(Str, "$1pdate")
re.Pattern = "(\s)(or)"
Str = re.Replace(Str, "$1or")
re.Pattern = "(\n)"
Str = re.Replace(Str, "$1or")
'----------------------------------
re.Pattern = "(java)(script)"
Str = re.Replace(Str, "$1script")
re.Pattern = "(j)(script)"
Str = re.Replace(Str, "$1script")
re.Pattern = "(vb)(script)"
Str = re.Replace(Str, "$1script")
'----------------------------------
If Instr(Str, "expression") > 0 Then
Str = Replace(Str, "expression", "e­xpression", 1, -1, 0) '防止xss注入
End If
Set re = Nothing
Checkxss = Str
End Function
测试代码
测试代码:
<script> alert(/xss0/) </script>
<img src= "javascript:alert(/xss1/) " width=100>
<img src= "javascript:alert(/xss2/) " width=100>
<img src= "javas cript:alert(/xss3/) " width=100>
<img src= "# " onerror=alert(/xss4/)>
<img src= "# "/**/onerror=alert(/xss5/) width=100>
<img src= "# " style= "Xss:expression(alert(/xss6/)); ">
<img src="javascript:alert('XSS');">
<SCRIPT LANGUAGE="JavaScript">
eval("\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x61\x6c\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29")
</SCRIPT>
<script> alert(/xss0/) </script>
<img src= "javascript:alert(/xss1/) " width=100>
<img src= "javascript:alert(/xss2/) " width=100>
<img src= "javas cript:alert(/xss3/) " width=100>
<img src= "# " onerror=alert(/xss4/)>
<img src= "# "/**/onerror=alert(/xss5/) width=100>
<img src= "# " style= "Xss:expression(alert(/xss6/)); ">
<img src="javascript:alert('XSS');">
<SCRIPT LANGUAGE="JavaScript">
eval("\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x61\x6c\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29")
</SCRIPT>
'*************************************
'防XSS注入函数 更新于2009-04-21 by evio
'与checkstr()相比, checkxss更加安全
'*************************************
Function Checkxss(byVal ChkStr)
Dim Str
Str = ChkStr
If IsNull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str, "&", "&")
Str = Replace(Str, "'", "´")
Str = Replace(Str, """", """)
Str = Replace(Str, "<", "<")
Str = Replace(Str, ">", ">")
Str = Replace(Str, "/", "/")
Str = Replace(Str, "*", "*")
Dim re
Set re = New RegExp
re.IgnoreCase = True
re.Global = True
re.Pattern = "(w)(here)"
Str = re.Replace(Str, "$1here")
re.Pattern = "(s)(elect)"
Str = re.Replace(Str, "$1elect")
re.Pattern = "(i)(nsert)"
Str = re.Replace(Str, "$1nsert")
re.Pattern = "(c)(reate)"
Str = re.Replace(Str, "$1reate")
re.Pattern = "(d)(rop)"
Str = re.Replace(Str, "$1rop")
re.Pattern = "(a)(lter)"
Str = re.Replace(Str, "$1lter")
re.Pattern = "(d)(elete)"
Str = re.Replace(Str, "$1elete")
re.Pattern = "(u)(pdate)"
Str = re.Replace(Str, "$1pdate")
re.Pattern = "(\s)(or)"
Str = re.Replace(Str, "$1or")
re.Pattern = "(\n)"
Str = re.Replace(Str, "$1or")
'----------------------------------
re.Pattern = "(java)(script)"
Str = re.Replace(Str, "$1script")
re.Pattern = "(j)(script)"
Str = re.Replace(Str, "$1script")
re.Pattern = "(vb)(script)"
Str = re.Replace(Str, "$1script")
'----------------------------------
If Instr(Str, "expression") > 0 Then
Str = Replace(Str, "expression", "e­xpression", 1, -1, 0) '防止xss注入
End If
Set re = Nothing
Checkxss = Str
End Function
[最后修改由 admin, 于 2010-03-03 14:39:45]
评论Feed: http://blog.xg98.com/feed.asp?q=comment&id=1276
这篇日志没有评论。
此日志不可发表评论。