导语:ASP网站在互联网中是一个很庞大量级,但是其不安全性也广受诟病。如果你对asp有很深刻的理解的话,其实这些都不是问题。
XSS攻击是一种很典型的攻击ASP程序方式,如果我们程序做到足够的健壮,XSS也只是一个纸老虎,我们同样可以将它拒之门外。
今天特地编写了一个ASP函数用来防范XSS的攻击,下面是函数代码:
Function Safexss(byVal ChkStr) Dim Str Str = ChkStr If IsNull(Str) Then CheckStr = "" Exit Function End If Str = Replace(Str, "&", "&") Str = Replace(Str, "'", "´") Str = Replace(Str, """", """) Str = Replace(Str, "<", "<") Str = Replace(Str, ">", ">") Str = Replace(Str, "/", "/") Str = Replace(Str, "*", "*") Dim re Set re = New RegExp re.IgnoreCase = True re.Global = True re.Pattern = "(w)(here)" Str = re.Replace(Str, "$1here") re.Pattern = "(s)(elect)" Str = re.Replace(Str, "$1elect") re.Pattern = "(i)(nsert)" Str = re.Replace(Str, "$1nsert") re.Pattern = "(c)(reate)" Str = re.Replace(Str, "$1reate") re.Pattern = "(d)(rop)" Str = re.Replace(Str, "$1rop") re.Pattern = "(a)(lter)" Str = re.Replace(Str, "$1lter") re.Pattern = "(d)(elete)" Str = re.Replace(Str, "$1elete") re.Pattern = "(u)(pdate)" Str = re.Replace(Str, "$1pdate") re.Pattern = "(\s)(or)" Str = re.Replace(Str, "$1or") re.Pattern = "(\n)" Str = re.Replace(Str, "$1or") '---------------------------------- re.Pattern = "(java)(script)" Str = re.Replace(Str, "$1script") re.Pattern = "(j)(script)" Str = re.Replace(Str, "$1script") re.Pattern = "(vb)(script)" Str = re.Replace(Str, "$1script") '---------------------------------- If Instr(Str, "expression") > 0 Then '防止xss注入 Str = Replace(Str, "expression", "expression", 1, -1, 0) End If Set re = Nothing Safexss = Str End Function
如何使用Safexss函数防范XSS攻击
使用方法:Safexss(request.QueryString("变量")),或者Safexss(request.form("表单名"))
扩展阅读:asp程序的安全性
声明:如需转载,请注明来源于www.webym.net并保留原文链接:http://www.webym.net/jiaocheng/187.html
