private string BuildLogMessage(string ip, RequestValidationResult validationResult)
{
StringBuilder message = new StringBuilder();
message.AppendFormat("Detected xss vulnerability. Time: {0}, IP:{1}, Request Part: {2}",
DateTime.Now.ToString(CultureInfo.InvariantCulture), ip,
validationResult.DiseasedRequestPart);
return message.ToString();
}
private void LogXssWarning(HttpRequest request, RequestValidationResult validationResult)
{
string ipInformation = _ipAdressHelper.GetIpInformation(request);
_logger.Warn(BuildLogMessage(ipInformation, validationResult));
}
public RequestValidationResult HasXssVulnerability(HttpRequest request)
{
if (string.IsNullOrWhiteSpace(_configuration.ControlRegex))
{
_xssDetectionRegex = new Regex(_regexProcessor.XssPattern, RegexOptions.IgnoreCase);
}
else
{
try
{
_xssDetectionRegex = new Regex(HttpUtility.HtmlDecode(_configuration.ControlRegex), RegexOptions.IgnoreCase);
}
catch
{
_xssDetectionRegex = new Regex(_regexProcessor.XssPattern, RegexOptions.IgnoreCase);
}
}
RequestValidationResult result = new RequestValidationResult
{
IsValid = true,
DiseasedRequestPart = DiseasedRequestPart.None
};
if (request != null)
{
string queryString = request.QueryString.ToString();
if (!string.IsNullOrEmpty(queryString) &&
_regexProcessor.ExecFor(_xssDetectionRegex, queryString))
{
result.IsValid = false;
result.DiseasedRequestPart = DiseasedRequestPart.QueryString;
}
if (request.HttpMethod.Equals("POST", StringComparison.InvariantCultureIgnoreCase))
{
string formPostValues;
try
{
formPostValues = request.Form.ToString();
}
catch (Exception ex)
{
if (_configuration.Log.Equals(bool.TrueString))
{
string message = string.Format(@"Request.Form getter called, Method :{0}, Requested Page: {1}", MethodBase.GetCurrentMethod().Name, request.Url);
_logger.Error(message, ex);
}
throw;
}
if (!string.IsNullOrEmpty(formPostValues) && _regexProcessor.ExecFor(_xssDetectionRegex, formPostValues))
{
result.IsValid = false;
result.DiseasedRequestPart = DiseasedRequestPart.Form;
}
}
}
return result;
}