'防XSS注入函数 更新于2009-04-21 by evio '与checkstr()相比, checkxss更加安全 '************************************* Function Checkxss(byVal ChkStr) Dim Str Str = ChkStr If IsNull(Str) Then CheckStr = "" Exit Function End If Str = Replace(Str, "&", "&") Str = Replace(Str, "'", "´") Str = Replace(Str, """", """) Str = Replace(Str, "<", "<") Str = Replace(Str, ">", ">") Str = Replace(Str, "/", "/") Str = Replace(Str, "*", "*") Dim re Set re = New RegExp re.IgnoreCase = True re.Global = True re.Pattern = "(w)(here)" Str = re.Replace(Str, "$1here") re.Pattern = "(s)(elect)" Str = re.Replace(Str, "$1elect") re.Pattern = "(i)(nsert)" Str = re.Replace(Str, "$1nsert") re.Pattern = "(c)(reate)" Str = re.Replace(Str, "$1reate") re.Pattern = "(d)(rop)" Str = re.Replace(Str, "$1rop") re.Pattern = "(a)(lter)" Str = re.Replace(Str, "$1lter") re.Pattern = "(d)(elete)" Str = re.Replace(Str, "$1elete") re.Pattern = "(u)(pdate)" Str = re.Replace(Str, "$1pdate") re.Pattern = "(s)(or)" Str = re.Replace(Str, "$1or") re.Pattern = "( )" Str = re.Replace(Str, "$1or") '---------------------------------- re.Pattern = "(java)(script)" Str = re.Replace(Str, "$1script") re.Pattern = "(j)(script)" Str = re.Replace(Str, "$1script") re.Pattern = "(vb)(script)" Str = re.Replace(Str, "$1script") '---------------------------------- If Instr(Str, "expression") > 0 Then Str = Replace(Str, "expression", "expression", 1, -1, 0) '防止xss注入 End If Set re = Nothing Checkxss = Str End Function 测试代码: <script> alert(/xss0/) </script> <img src= "javascript:alert(/xss1/) " width=100> <img src= "javascript:alert(/xss2/) " width=100> <img src= "javas cript:alert(/xss3/) " width=100> <img src= "# " onerror=alert(/xss4/)> <img src= "# "/**/onerror=alert(/xss5/) width=100> <img src= "# " style= "Xss:expression(alert(/xss6/)); "> <img src="javascript:alert('XSS');"> <SCRIPT LANGUAGE=" Java Script"> eval("\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x61\x6c\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29") </SCRIPT>
查看更多关于ASP防XSS注入函数 - 网站安全 - 自学php的详细内容...