思路: 對程序代碼進行過濾非法的關鍵字
新建控制台程序,編寫代碼測試過濾效果
class Program { static void Main(string[] args) { //GetStrRegex(); Console.WriteLine("請輸入字符串:"); string str = Console.ReadLine(); for (int i = 0; i < 100; i++) { Test(str); } } static void Test(string str) { Console.WriteLine("請輸入正則表達式:"); string StrRegex = Console.ReadLine(); str = Regex.Replace(str, StrRegex, "", RegexOptions.IgnoreCase); Console.WriteLine($"處理后的字符串為:{str}"); } }
輸入字符串測試及正則表達式,觀察測試效果
字符串:<script>(script)</script><style>alert("中國偉大復興")</style><h1>111</h1><h2>222</h2>drop delete <div style=""> select update exec trunc database table index @@@hao好的// 中國。湖北。武漢&& 湖北-- 中國加油! 正則表達式:
a: <[^>]*|
b: <[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)
經過多次測試,選擇你所認為合適的正則表達式
下面是我目前選擇的正則表達式,你可以根據需要進行修改
static string GetStrRegex() { List<string> strList = new List<string>(); List<string> htmlList = new List<string>() { "<h1>","<h2>","<h3>","<h4>","<h5>","<h6>","<style>","<script>","javascript","onload","onerror","eval","alert","prompt"}; List<string> sqlList = new List<string>() { "select","update","delete","drop","trunc","exec","table","database","or","and"}; List<string> chList = new List<string>() { "//","--", "@", "&" ,"||"}; strList.AddRange(htmlList); strList.AddRange(sqlList); strList.AddRange(chList); string strRegex = string.Join("|", strList.ToArray()); Console.WriteLine($"你的正則表達式是{strRegex}"); return strRegex; }
測試效果
其實最簡單的做法就是url編碼、html編碼一下就可以了