/*
JS安全API v1.1
Created By Web Application Security Group of TSC
UpDate: 2007-12-08
*/
/*
url转向验证
描述:对通过javascript语句载入(或转向)的页面进行验证,防止转到第三方网页和跨站脚本攻击
返回值:true -- 合法;false -- 非法
例:
合法的值
http://xxx.qq.com/hi/redirect.html?url=http://www.qq.com
http://xxx.qq.com/hi/redirect.html?url=a.html
http://xxx.qq.com/hi/redirect.html?url=/a/1.html
非法的值
http://xxx.qq.com/hi/redirect.html?url=http://www.baidu.com
http://xxx.qq.com/hi/redirect.html?url=javascript:codehere
http://xxx.qq.com/hi/redirect.html?url=//www.qq.com
*/
function VaildURL(sUrl)
{
return (/^(https?:\/\/)?[\w\-.]+\.(qq|paipai|soso|taotao)\.com($|\/|\\)/i).test(sUrl)||(/^[\w][\w\/\.\-_%]+$/i).test(sUrl)||(/^[\/\\][^\/\\]/i).test(sUrl) ? true : false;
}
//html正文编码:对需要出现在HTML正文里(除了HTML属性外)的不信任输入进行编码
function HtmlEncode(sStr)
{
sStr = sStr.replace(/&/g,"&");
sStr = sStr.replace(/>/g,">");
sStr = sStr.replace(/");
sStr = sStr.replace(/</g,"<");
sStr = sStr.replace(/"/g,'"');
sStr = sStr.replace(/'/g,"'");
return sStr;
}
/*
html属性编码:对需要出现在HTML属性里的不信任输入进行编码
注意:
(1)该函数不适用于属性为一个URL地址的编码.这些标记包括:a/img/frame/iframe/script/xml/embed/object...
属性包括:href/src/lowsrc/dynsrc/background/...
(2)该函数不适用于属性名为 style="[Un-trusted input]" 的编码
*/
function HtmlAttributeEncode(sStr)
{
sStr = sStr.replace(/&/g,"&");
sStr = sStr.replace(/>/g,">");
sStr = sStr.replace(/Click Here!
以下字符将会被编码:
除[a-zA-Z0-9.-_]以外的字符都会被替换成URL编码
*/
function UriComponentEncode(sStr)
{
sStr = encodeURIComponent(sStr);
sStr = sStr.replace(/~/g,"%7E");
sStr = sStr.replace(/!/g,"%21");
sStr = sStr.replace(/\*/g,"%2A");
sStr = sStr.replace(/\(/g,"%28");
sStr = sStr.replace(/\)/g,"%29");
sStr = sStr.replace(/'/g,"%27");
sStr = sStr.replace(/\?/g,"%3F");
sStr = sStr.replace(/;/g,"%3B");
return sStr;
}
//用做过滤HTML标签里面的东东 比如这个例子里的 XXXX就是要过滤的
String.prototype.escHtmlEp = function() { return this.replace(/[&'"<>\/\\\-\x00-\x1f\x80-\xff]/g, function(r){ return "&#"+r.charCodeAt(0)+";" }); };
//用做过滤直接放到HTML里的
String.prototype.escHtml = function() { return this.replace(/[&'"<>\/\\\-\x00-\x09\x0b-\x0c\x1f\x80-\xff]/g, function(r){ return "&#"+r.charCodeAt(0)+";" }).replace(/\r\n/g, "
").replace(/\n/g, "
").replace(/\r/g, "
").replace(/ /g, " "); };
//用做过滤直接放到HTML里js中的
String.prototype.escScript = function() { return this.replace(/[\\"']/g, function(r){ return "\\"+r; }).replace(/%/g, "\\x25").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\x01/g, "\\x01"); };
//用做过滤直接URL参数里的 比如 http://show8.qq.com/abc_cgi?a=XXX XXX就是要过滤的
String.prototype.escUrl = function() { return escape(this).replace(/\+/g, "%2B"); };
//用做过滤直接放到中的
String.prototype.escHrefScript = function() { return this.escScript().escMiniUrl().escHtmlEp(); };
//用做过滤直接放到正则表达式中的
String.prototype.escRegexp = function() { return this.replace(/[\\\^\$\*\+\?\{\}\.\(\)\[\]]/g, function(a,b){ return "\\"+a; }); };