C# (CSharp) XssFilterの例

コード例 #1

        public static string SanitizeHtml(String html)
        {
            //string schemaFolder = HttpContext.Current.Server.MapPath(WebUtils.GetApplicationRoot() + "/NeatHtml/schema");
            //string schemaFile = Path.Combine(schemaFolder, "NeatHtml.xsd");

            // ANTS Profiler showed this line to be expensive so changed to cache the object for re-use
            //XssFilter filter = XssFilter.GetForSchema(schemaFile);

            XssFilter filter = GetXssFilter();

            if (filter == null)
            {
                log.Info("XssFilter was null");
                //return html.Replace("script", "s cript");
                return(RemoveMarkup(html));
            }

            try
            {
                return(filter.FilterFragment(html));
            }
            catch (Exception)
            {
                return(RemoveMarkup(html));
            }
        }

コード例 #2

        private static XssFilter GetXssFilter()
        {
            if (HttpContext.Current == null)
            {
                return(null);
            }

            string key = "xssfilter";

            if (HttpContext.Current.Items[key] != null)
            {
                return((XssFilter)HttpContext.Current.Items[key]);
            }
            else
            {
                string schemaFolder = HttpContext.Current.Server.MapPath(WebUtils.GetApplicationRoot() + "/NeatHtml/schema");
                string schemaFile   = Path.Combine(schemaFolder, "NeatHtml.xsd");

                XssFilter filter = XssFilter.GetForSchema(schemaFile);

                HttpContext.Current.Items[key] = filter;

                return(filter);
            }

            //return null;
        }

コード例 #3

        public static string PreventCrossSiteScripting(String html, String errorHeader, bool removeMarkupOnFailure)
        {
            // This can be disabled by setting UseNeatHtmlForXSSPrevention to "false" in appSettings.
            //string useNeatHtmlXSSPrevention = ConfigurationManager.AppSettings["UseNeatHtmlForXSSPrevention"];
            //bool useNeatHtml = true;
            //if (useNeatHtmlXSSPrevention != null)
            //{
            //    useNeatHtml = bool.Parse(useNeatHtmlXSSPrevention);
            //}

            //if (!useNeatHtml)
            //{
            //    return html.Replace("script", "s cript");
            //}

            //if (
            //    (ConfigurationManager.AppSettings["UseClientSideNeatHtml"] != null)
            //    && (ConfigurationManager.AppSettings["UseClientSideNeatHtml"] == "true")
            //    )
            //{
            //    return html;

            //}

            //string schemaFolder = HttpContext.Current.Server.MapPath(WebUtils.GetApplicationRoot() + "/NeatHtml/schema");
            //string schemaFile = Path.Combine(schemaFolder, "NeatHtml.xsd");

            // ANTS Profiler showed this line to be expensive so changed to cache the object for re-use
            //XssFilter filter = XssFilter.GetForSchema(schemaFile);

            XssFilter filter = GetXssFilter();

            if (filter == null)
            {
                log.Info("XssFilter was null");
                return(html.Replace("script", "s cript"));
            }

            try
            {
                return(filter.FilterFragment(html));
            }
            catch (Exception ex)
            {
                if (removeMarkupOnFailure)
                {
                    return(String.Format(@"<span style=""color: #ff0000;"">{0}</span><br />{1}", errorHeader,
                                         HttpUtility.HtmlEncode(RemoveMarkup(html))));
                }
                else
                {
                    return(String.Format(@"<span style=""color: #ff0000;"">{0}{1}</span>:<br />{2}", errorHeader,
                                         HttpUtility.HtmlEncode(ex.Message), HttpUtility.HtmlEncode(html)));
                }
            }
        }