AntiXss 类库简介

    AntiXss类库是一款预防注入攻击的开源类库，它通过白名单机制进行内容编码。目前它支持这些输入类型：XML，HTML，QueryString，HTMLFormURLEncode，Ldap，JavaScript。在日常的开发中我们并不会安全编码像Ldap或JavaScript这样的输入类型，大多都是对XML，QueryString或Form URL进行安全编码。下面是个安全编码XML文件的小例子：

编码XML

static void EncodeXML()
        {
            string attachedXML = @"<shoppingcart>
                                      <item date='2013/6/8'>
                                        <id>1</id>
                                        <name>book</name>
                                        <price>80</price>
                                        <discount>10</discount>
                                      </item>
                                      <item date='2013/6/9'>
                                        <id>1</id>
                                        <name><attack you!</name>
                                        <price>&80</price>
                                        <discount>10</discount>
                                      </item>
                                    </shoppingcart>";
            Regex extractRegex = new Regex(@"<item\s+date=['|""](.+?)['|""]\s*?>\s*<id>(.*?)</id>\s*<name>(.*?)</name>\s*<price>(.*?)</price>\s*<discount>(.*?)</discount>\s*</item>");
            string xmlNodeFormat = @"<item date='{0}'><id>{1}</id><name>{2}</name><price>{3}</price><discount>{4}</discount></item>";
            StringBuilder safeXml = new StringBuilder();
            MatchCollection matches = extractRegex.Matches(attachedXML);
            safeXml.AppendLine("<shoppingcart>");
            foreach (Match item in matches)
            {
                safeXml.AppendLine(string.Format(xmlNodeFormat, AntiXssLibrary.Encoder.XmlEncode(item.Groups[1].Value)
                                                  , AntiXssLibrary.Encoder.XmlEncode(item.Groups[2].Value)
                                                  , AntiXssLibrary.Encoder.XmlEncode(item.Groups[3].Value)
                                                  , AntiXssLibrary.Encoder.XmlEncode(item.Groups[4].Value)
                                                  , AntiXssLibrary.Encoder.XmlEncode(item.Groups[5].Value)));
            }
            safeXml.AppendLine("</shoppingcart>");
            Console.WriteLine("unsafe xml:\n" + attachedXML);
            Console.WriteLine("safe xml:\n" + safeXml);

            /*OUT PUT
             <shoppingcart>
              <item date='2013/6/8'>
                <id>1</id>
                <name>book</name>
                <price>80</price>
                <discount>10</discount>
              </item>
              <item date='2013/6/9'>
                <id>1</id>
                <name><attack you!</name>
                <price>&80</price>
                <discount>10</discount>
              </item>
            </shoppingcart>
             */

        }

常见的注入类型攻击

XML注入

Xss 攻击

Ldap注入

 

AntiXssLibrary下载