pjblog仿xss函数

[ 2009-09-19 08:20:48 | 作者: admin ]
字号: | |
p.s. 函数去掉脚本和标签替换部分可以可以应与防注入

测试代码
测试代码:

<script> alert(/xss0/) </script>
<img src= "javascript:alert(/xss1/) " width=100>
<img src= "javascrip&#116&#58alert(/xss2/) " width=100>
<img src= "javas cript:alert(/xss3/) " width=100>
<img src= "# " onerror=alert(/xss4/)>
<img src= "# "/**/onerror=alert(/xss5/) width=100>
<img src= "# " style= "Xss:expression(alert(/xss6/)); ">

<img src="&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3a&#x61&#x6c&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29&#x3b">

<SCRIPT LANGUAGE="JavaScript">
eval("\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x61\x6c\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29")
</SCRIPT>

'*************************************
'防XSS注入函数 更新于2009-04-21 by evio
'与checkstr()相比, checkxss更加安全
'*************************************
Function Checkxss(byVal ChkStr)
        Dim Str
        Str = ChkStr
        If IsNull(Str) Then
              CheckStr = ""
              Exit Function
        End If
        Str = Replace(Str, "&", "&amp;")
        Str = Replace(Str, "'", "&acute;")
        Str = Replace(Str, """", "&quot;")
              Str = Replace(Str, "<", "&lt;")
              Str = Replace(Str, ">", "&gt;")
              Str = Replace(Str, "/", "&#47;")
              Str = Replace(Str, "*", "&#42;")
        Dim re
        Set re = New RegExp
        re.IgnoreCase = True
        re.Global = True
        re.Pattern = "(w)(here)"
        Str = re.Replace(Str, "$1h&#101;re")
        re.Pattern = "(s)(elect)"
        Str = re.Replace(Str, "$1el&#101;ct")
        re.Pattern = "(i)(nsert)"
        Str = re.Replace(Str, "$1ns&#101;rt")
        re.Pattern = "(c)(reate)"
        Str = re.Replace(Str, "$1r&#101;ate")
        re.Pattern = "(d)(rop)"
        Str = re.Replace(Str, "$1ro&#112;")
        re.Pattern = "(a)(lter)"
        Str = re.Replace(Str, "$1lt&#101;r")
        re.Pattern = "(d)(elete)"
        Str = re.Replace(Str, "$1el&#101;te")
        re.Pattern = "(u)(pdate)"
        Str = re.Replace(Str, "$1p&#100;ate")
        re.Pattern = "(\s)(or)"
        Str = re.Replace(Str, "$1o&#114;")
              re.Pattern = "(\n)"
        Str = re.Replace(Str, "$1o&#114;")
              '----------------------------------
              re.Pattern = "(java)(script)"
        Str = re.Replace(Str, "$1scri&#112;t")
              re.Pattern = "(j)(script)"
        Str = re.Replace(Str, "$1scri&#112;t")
              re.Pattern = "(vb)(script)"
        Str = re.Replace(Str, "$1scri&#112;t")
              '----------------------------------
              If Instr(Str, "expression") > 0 Then
                    Str = Replace(Str, "expression", "e&#173;xpression", 1, -1, 0) '防止xss注入
              End If
        Set re = Nothing
        Checkxss = Str
End Function
[最后修改由 admin, 于 2010-03-03 14:39:45]
评论Feed 评论Feed: http://blog.xg98.com/feed.asp?q=comment&id=1276

这篇日志没有评论。

此日志不可发表评论。