开发者

Stripping script tags from HTML input

问答 作者: 
public static string MakeWebSafe(this string x) {
    const string RegexRemove = @"(<\s*script[^>]*>)|(<\s*/\s*script[^>]*>)";
    return Regex.Replace(x, RegexRemove, string.Empty, RegexOptions.IgnoreCase);
}

Is there any reason this implementation isn't good enough. Can you break it? Is there anything I haven't considered? If you use or have used something different, what are its advantages?

I'm aware this leaves the body of the script in the text, but that'开发者_如何学Gos okay for this project.

UPDATE

Don't do the above! I went with this in the end: HTML Agility Pack strip tags NOT IN whitelist.

Have you considered this kind of scenario??

<scri<script>pt type="text/javascript">
    causehavoc();
</scr</script>ipt>

The best thing to do is remove all tags, encode things, or use bbcode

Yes, your RegEx can be circumvented by unicode encoding the script tags. I would suggest you look to more robust libraries when it comes to security. Take a look at Microsoft Web Protection Library

继续阅读:regex

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9