开发者

Anti XSS Sanitization of IFrames with specific src attribute values in .NET

开发者 https://www.devze.com 2023-03-11 11:39 出处:网络
I\'m looking to accomplish the following: sanitize WYSIWIG user-input using either AntiXSS or AntiSamy libraries, however, allow iframe tags which have \"src\" attribute from particul开发者_如何学运维

I'm looking to accomplish the following: sanitize WYSIWIG user-input using either AntiXSS or AntiSamy libraries, however, allow iframe tags which have "src" attribute from particul开发者_如何学运维ar domains. Is there a way to accomplish this?

I was thinking about parsing it up with Regex somehow and swapping it out "< iframe" for something like {{iframe-begin}} tag and later on swapping it out in the controller logic with "

Thank you.


I also wanted to do some HTML sanitization for one of my WYSISWIG editors.

One aproach is to use the Microsoft Anti-Cross Site Scripting Library. http://msdn.microsoft.com/en-us/library/aa973813.aspx

Another is to create a whitelist parser for HTML.

Here is what I used along with HTML Agility Pack, you can configure the whitelist with tags and allowed atributes:

public static class HtmlSanitizer { private static readonly IDictionary Whitelist; private static List DeletableNodesXpath = new List();

    static HtmlSanitizer()
    {
        Whitelist = new Dictionary<string, string[]> {
            { "a", new[] { "href" } },
            { "strong", null },
            { "em", null },
            { "blockquote", null },
            { "b", null},
            { "p", null},
            { "ul", null},
            { "ol", null},
            { "li", null},
            { "div", new[] { "align" } },
            { "strike", null},
            { "u", null},                
            { "sub", null},
            { "sup", null},
            { "table", null },
            { "tr", null },
            { "td", null },
            { "th", null }
            };
    }

    public static string Sanitize(string input)
    {
        if (input.Trim().Length < 1)
            return string.Empty;
        var htmlDocument = new HtmlDocument();

        htmlDocument.LoadHtml(input);            
        SanitizeNode(htmlDocument.DocumentNode);
        string xPath = HtmlSanitizer.CreateXPath();

        return StripHtml(htmlDocument.DocumentNode.WriteTo().Trim(), xPath);
    }

    private static void SanitizeChildren(HtmlNode parentNode)
    {
        for (int i = parentNode.ChildNodes.Count - 1; i >= 0; i--)
        {
            SanitizeNode(parentNode.ChildNodes[i]);
        }
    }

    private static void SanitizeNode(HtmlNode node)
    {
        if (node.NodeType == HtmlNodeType.Element)
        {
            if (!Whitelist.ContainsKey(node.Name))
            {
                if (!DeletableNodesXpath.Contains(node.Name))
                {                       
                    //DeletableNodesXpath.Add(node.Name.Replace("?",""));
                    node.Name = "removeableNode";
                    DeletableNodesXpath.Add(node.Name);
                }
                if (node.HasChildNodes)
                {
                    SanitizeChildren(node);
                }                  

                return;
            }

            if (node.HasAttributes)
            {
                for (int i = node.Attributes.Count - 1; i >= 0; i--)
                {
                    HtmlAttribute currentAttribute = node.Attributes[i];
                    string[] allowedAttributes = Whitelist[node.Name];
                    if (allowedAttributes != null)
                    {
                        if (!allowedAttributes.Contains(currentAttribute.Name))
                        {
                            node.Attributes.Remove(currentAttribute);
                        }
                    }
                    else
                    {
                        node.Attributes.Remove(currentAttribute);
                    }
                }
            }
        }

        if (node.HasChildNodes)
        {
            SanitizeChildren(node);
        }
    }

    private static string StripHtml(string html, string xPath)
    {
        HtmlDocument htmlDoc = new HtmlDocument();
        htmlDoc.LoadHtml(html);
        if (xPath.Length > 0)
        {
            HtmlNodeCollection invalidNodes = htmlDoc.DocumentNode.SelectNodes(@xPath);
            foreach (HtmlNode node in invalidNodes)
            {
                node.ParentNode.RemoveChild(node, true);
            }
        }
        return htmlDoc.DocumentNode.WriteContentTo(); ;
    }

    private static string CreateXPath()
    {
        string _xPath = string.Empty;
        for (int i = 0; i < DeletableNodesXpath.Count; i++)
        {
            if (i != DeletableNodesXpath.Count - 1)
            {
                _xPath += string.Format("//{0}|", DeletableNodesXpath[i].ToString());
            }
            else _xPath += string.Format("//{0}", DeletableNodesXpath[i].ToString());
        }
        return _xPath;
    }
}
0

精彩评论

暂无评论...
验证码 换一张
取 消