.net表单过滤字符的问题，防XSS的方法，高手进来帮个忙，急急急~~~

theismylife 2008-10-28 08:54:45

上级机关让我把网站的XSS 漏洞修补上，我是新手不懂得怎么修补高手帮个忙我把代码发上来
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="TotalNews.aspx.cs" Inherits="TotalNews" %>
<%@ Register TagPrefix="uc1" TagName="header1" Src="Childheader.ascx" %>
<%@ Register TagPrefix="uc2" TagName="footer1" Src="foot.ascx" %>
<%@ Register TagPrefix="uc3" TagName="left1" Src="LeftInfo.ascx" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title> <%= ConfigurationManager.AppSettings["WebTitle"]%> </title>
</head>
<body>
<form id="form1" runat="server">
<table border="0" align="center" cellpadding="0" cellspacing="0" style="width: 984px">
<td align="center" style="height: 131px" >
<uc1:header1 id="header1" runat="server"></uc1:header1> </td>
</table>
<div>
<table border="0" align="center" cellpadding="0" cellspacing="0" style="width: 984px">
<td height="831" align="center" style="height: 314px">
<table width="760" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td><img src="images1/index_top4.gif" width="760" height="25" /></td>
</tr>
</table>

<table width="760" height="551" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="200" height="450" align="center" valign="top">
<uc3:left1 id="feft1" runat="server"> </uc3:left1>
</td>
<td height="572" align="center" valign="middle" style="width: 518px">

<IFRAME id="frame1" src="" scrolling="auto" frameborder="0" runat="server" style="width: 540px; height: 637px;">
</IFRAME>

</td>
<td width="10" align="right" valign="bottom" background="images1/index_lmbg.gif"> </td>
</tr>
</table>
<table width="760" height="6" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td height="6"><img src="images1/index_bottom.gif" width="760" height="6" /></td>
</tr>
</table>
</td>
</table>
<table border="0" align="center" cellpadding="0" cellspacing="0" style="width: 984px">
<td align="center" height:" 100px">
<uc2:footer1 id="footer1" runat="server"></uc2:footer1>
</td>
</table>
</div>
</form>
</body>
</html>
===============================================================
using System;
using System.Data;

using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

public partial class TotalNews : System.Web.UI.Page
{
protected System.Web.UI.HtmlControls.HtmlGenericControl frame2;

protected void Page_Load(object sender, EventArgs e)
{
HtmlControl frame2 = (HtmlControl)this.FindControl("frame1");

string strid = Request.QueryString["id"];

if (strid == "1")
{
frame2.Attributes["src"] = "StockFutures_right_tabdt.aspx";

}
if (strid == "2")
{
frame2.Attributes["src"] = "StockFutures_right_tabdl.aspx";

}
if (strid == "3")
{
frame2.Attributes["src"] = "StockFutures_right_tabSH.aspx";

}
if (strid == "4")
{
frame2.Attributes["src"] = "StockFutures_right_tabzz.aspx";

}
if (strid == "5")
{
frame2.Attributes["src"] = "StockFutures_right_tabjr.aspx";

}
if (strid == "6")
{
frame2.Attributes["src"] = "StockFutures_right_tabhgxinwen.aspx";

}
if (strid == "7")
{
frame2.Attributes["src"] = "zhzl_ztxinwen.aspx";

}

}

}

...全文