MES / haiNeng · Files

XSSFilterAttribute.cs 3.1 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 
using Hh.Mes.Common.XSS;
using Microsoft.AspNetCore.Mvc.Filters;
using System;

namespace WebMvc.Aop
{
    /// <summary>
    /// XSS 过滤器 解决xss攻击防御 在需要进行XSS过滤的控制器或者action上加上对应的属性即可
    /// 新增、编辑控制器加上
    /// </summary>
    public class XSSFilterAttribute : ActionFilterAttribute
    {
        private readonly XSSHelper xss;

        public XSSFilterAttribute()
        {
            xss = new XSSHelper();
        }

        /// <summary>
        /// 在调用Action方法之前调用
        /// </summary>
        /// <param name="context"></param>
        public override void OnActionExecuting(ActionExecutingContext context)
        {
            //获取参数集合
            var ps = context.ActionDescriptor.Parameters;
            //遍历参数集合
            foreach (var p in ps)
            {
                if (context.ActionArguments.ContainsKey(p.Name))
                {
                    //当参数是str
                    if (p.ParameterType == typeof(string))
                    {
                        if (context.ActionArguments[p.Name] != null)
                        {
                            context.ActionArguments[p.Name] = xss.XssFilter(context.ActionArguments[p.Name].ToString());
                        }
                    }
                    else if (p.ParameterType.IsClass)//当参数是一个实体
                    {
                        PostModelFieldFilter(p.ParameterType, context.ActionArguments[p.Name]);
                    }
                }

            }
        }


        /// <summary>
        /// 遍历实体的字符串属性
        /// </summary>
        /// <param name="type">数据类型</param>
        /// <param name="obj">对象</param>
        /// <returns></returns>
        private void PostModelFieldFilter(Type type, object obj)
        {
            if (obj != null)
            {
                foreach (var item in type.GetProperties())
                {
                    if (item.PropertyType == typeof(string))  //当参数是string才进行XSS筛选
                    {
                        var propertyValue = item.GetValue(obj);
                        if (propertyValue != null)
                        {
                            var filterValue = xss.XssFilter(propertyValue.ToString());
                            item.SetValue(obj, filterValue);
                        }
                    }
                    else if (item.PropertyType.IsArray)//当参数是一个数组
                    {
                        Array arrayValue = obj as Array;
                        for (var i = 0; i < arrayValue.Length; i++)
                        {
                            PostModelFieldFilter(arrayValue.GetType(), arrayValue.GetValue(i));
                        }
                    }
                    else if (item.PropertyType.IsClass)  //当参数是一个实体就再次调用
                    {
                        PostModelFieldFilter(item.PropertyType, item.GetValue(obj));
                    }
                }
            }
        }
    }
}