我有一个旧版Web应用程序,我需要迁移到新的Windows Server(从2008r2迁移到2019),并且一直遇到一些安全问题。主要带有富文本样式的文本框FCKeditor文本框。该编辑器会添加html标记,如果有人从Word文档中进行复制以填写该字段,则还将显示隐藏的Word文档结构(xml和样式内容),因此2019年的安全性将引发一条错误消息,提示该文本具有潜在危险。我想出了一个清理文本内容并将其恢复为纯文本内容的功能。但是安全性仍然会引发错误,并且永远不会出现在我创建的函数中。
protected string GetCleanedText(string content)
{
const string tagWhiteSpace = @"(>|$)(\W|\n|\r)+<";
const string stripFormatting = @"<[^>]*(>|$)";
const string lineBreak = @"<(br|BR)\s{0,1}\/{0,1}>";
const string xmlformatting = @"<xml>[\s\S]*?<\/xml>";
const string styleformatting = @"<style>[\s\S]*?<\/style>";
Regex lineBreakRegex = new Regex(lineBreak, RegexOptions.Multiline);
Regex xmlformattingRegex = new Regex(xmlformatting, RegexOptions.Multiline);
Regex stripFormattingRegex = new Regex(stripFormatting, RegexOptions.Multiline);
Regex tagWhiteSpaceRegex = new Regex(tagWhiteSpace, RegexOptions.Multiline);
Regex styleformattingRegex = new Regex(styleformatting, RegexOptions.Multiline);
string text = content;
//xml formatting
text = xmlformattingRegex.Replace(text, string.Empty);
//style formatting
text = styleformattingRegex.Replace(text, string.Empty);
//Decode html specific characters
//text = System.Net.WebUtility.HtmlDecode(text);
//text = System.Net.WebUtility.HtmlDecode(text);
text = System.Web.HttpUtility.HtmlDecode(text);
//Remove tag whitespace/line breaks
text = tagWhiteSpaceRegex.Replace(text, "><");
//Replace <br /> with line breaks
text = lineBreakRegex.Replace(text, Environment.NewLine);
//Strip formatting
text = stripFormattingRegex.Replace(text, string.Empty);
return text;
}
aspx页面上的数据通过Bind()进行双向绑定设置。我尝试用Eval()替换它,并调用GetCleanedText()函数以清理文本内容,但是由于FormView1_ItemCreated()函数,数据继续被擦除,或者使文本框为空或不允许使用要更新的内容。我还尝试过在ItemCreated,ItemUpdating和FormView1_DataBound()函数中实现某些功能,但仍然会得到一个空的文本框,或者在Editing文本字段中不维护新文本的情况内容。
这是aspx页面(我已删除了其他大部分内容,以专注于我要修复的内容:]]
<asp:FormView ID="FormView1" runat="server" DataKeyNames="id" DataSourceID="ObjectDataSource1" OnItemCreated="FormView1_ItemCreated" OnDataBound="FormView1_DataBound" OnItemUpdating="FormView1_ItemUpdating" OnItemDeleting="FormView1_ItemDeleting" BorderWidth="0px" CssClass="nospace" Width="100%" OnItemInserting="FormView1_ItemInserting" AllowPaging="True" EmptyDataText="No records found."> <EditItemTemplate> <table width="100%" border="0" cellpadding="2"> <tr> <td> <b>Business Reason for the Purchase:</b><br /> <FCKeditorV2:FCKeditor ID="purchase_reasonTextBox" runat="server" BasePath="~/fckeditor/" Height="150px" ToolbarSet="Request" Value='<%# Bind("purchase_reason") %>'> </FCKeditorV2:FCKeditor> </td> <td> </td> <td> <b>Description of Product or Service:</b><br /> <FCKeditorV2:FCKeditor ID="product_descriptionTextBox" runat="server" BasePath="~/fckeditor/" Height="150px" ToolbarSet="Request" Value='<%# Bind("product_description") %>'> </FCKeditorV2:FCKeditor> </td> </tr> <tr> <td> <asp:LinkButton ID="UpdateButton" runat="server" CausesValidation="True" CommandName="Update" CssClass="btn" OnClientClick="RemoveDisplayMessage()" TabIndex="40" Text="Update" ValidationGroup="requestgroup" /> <asp:LinkButton ID="UpdateCancelButton" runat="server" CausesValidation="False" CommandName="Cancel" CssClass="btn" OnClientClick="RemoveDisplayMessage()" TabIndex="42" Text="Cancel" /> <asp:ValidationSummary ID="ValidationSummary1" runat="server" HeaderText="Please complete fields:" ShowMessageBox="True" ShowSummary="False" ValidationGroup="requestgroup" /> </td> <td align="right"> </td> <td align="right"> </td> <td align="right"> </td> </tr> </table> </EditItemTemplate> <InsertItemTemplate> <table width="100%" border="0" cellpadding="2"> <tr> <td> <b>Business Reason for the Purchase:</b><br /> <FCKeditorV2:FCKeditor ID="purchase_reasonTextBox" runat="server" BasePath="~/fckeditor/" Height="150px" ToolbarSet="Request" Value='<%# Bind("purchase_reason") %>'> </FCKeditorV2:FCKeditor> </td> <td> </td> <td> <b>Description of Product or Service:</b><br /> <FCKeditorV2:FCKeditor ID="product_descriptionTextBox" runat="server" BasePath="~/fckeditor/" Height="150px" ToolbarSet="Request" Value='<%# Bind("product_description") %>'> </FCKeditorV2:FCKeditor> </td> </tr> <tr> <td> <asp:LinkButton ID="InsertButton" runat="server" CausesValidation="True" CommandName="Insert" CssClass="btn" OnClientClick="RemoveDisplayMessage()" TabIndex="42" Text="Insert" ValidationGroup="requestgroup" /> <asp:LinkButton ID="InsertCancelButton" runat="server" CausesValidation="False" CommandName="Cancel" CssClass="btn" OnClientClick="RemoveDisplayMessage()" TabIndex="44" Text="Cancel" /> <asp:ValidationSummary ID="ValidationSummary1" runat="server" HeaderText="Please complete fields:" ShowMessageBox="True" ShowSummary="False" ValidationGroup="requestgroup" /> </td> <td align="right"> </td> <td align="right"> </td> <td align="right"> </td> </tr> </table> </InsertItemTemplate> <ItemTemplate> <table width="100%" border="0" cellpadding="2"> <tr> <td colspan="2" valign="top"> <b>Business Reason for the Purchase:</b><br /> <asp:Label ID="purchase_reasonLabel" runat="server" Text='<%# Bind("purchase_reason") %>' BackColor="#EFF2F3" BorderWidth="0" CssClass="textBlock" /> </td> </tr> <tr> <td colspan="2" valign="top"> <b>Description of Product or Service:</b><br /> <asp:Label ID="product_descriptionLabel" runat="server" Text='<%# Bind("product_description") %>' BackColor="#EFF2F3" BorderWidth="0" CssClass="textBlock" /> </td> </tr> <tr> <td> <asp:LinkButton ID="EditButton" runat="server" CausesValidation="False" CommandName="Edit" CssClass="btn" OnClientClick="RemoveDisplayMessage()" Text="Edit" /> <asp:LinkButton ID="DeleteButton" runat="server" CausesValidation="False" CommandName="Delete" CssClass="btn" OnClientClick="RemoveDisplayMessage(); return confirm('Do you really want to delete this item?');" Text="Delete" /> <asp:LinkButton ID="NewButton" runat="server" CausesValidation="False" CommandName="New" CssClass="btn" OnClientClick="RemoveDisplayMessage()" Text="New" /> </td> <td align="right"> <asp:LinkButton ID="ApproveButton" runat="server" CausesValidation="False" CommandArgument='<%# Eval("id") %>' CommandName="Approve" CssClass="btn" OnCommand="StatusButton_Command" Text="Approve" /> <asp:LinkButton ID="DenyButton" runat="server" CausesValidation="False" CommandArgument='<%# Eval("id") %>' CommandName="Deny" CssClass="btn" OnCommand="StatusButton_Command" Text="Deny" /> <asp:LinkButton ID="ReturnButton" runat="server" CausesValidation="False" CommandArgument='<%# Eval("id") %>' CommandName="more info" CssClass="btn" OnCommand="StatusButton_Command" Text="Require more info" /> </td> </tr> </table> </ItemTemplate>这是页面后面的C#代码:
清理内容,并且不允许直接编辑数据库。protected void FormView1_DataBound(object sender, EventArgs e) { // databinding for things that weren't set up with Bind() // does not have any content for the purchase_reasonTextBox or product_descriptionTextBox } protected void FormView1_ItemCreated(object sender, EventArgs e) { FormViewRow row = FormView1.Row; if (FormView1.CurrentMode == FormViewMode.Edit || FormView1.CurrentMode == FormViewMode.Insert) { //initialize if (FormView1.CurrentMode == FormViewMode.Insert) { // nothing relevant } else if (FormView1.CurrentMode == FormViewMode.Edit) { //nothing relevant } FredCK.FCKeditorV2.FCKeditor purchase_reasonTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("purchase_reasonTextBox"); if (purchase_reasonTextBox != null) { purchase_reasonTextBox.CustomConfigurationsPath = Request.ApplicationPath + "/include/fckconfig.js"; purchase_reasonTextBox.EditorAreaCSS = Request.ApplicationPath + "/App_Themes/FrontTheme/Style.css"; purchase_reasonTextBox.StylesXmlPath = Request.ApplicationPath + "/include/fckstyles.xml"; } FredCK.FCKeditorV2.FCKeditor product_descriptionTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("product_descriptionTextBox"); if (product_descriptionTextBox != null) { product_descriptionTextBox.CustomConfigurationsPath = Request.ApplicationPath + "/include/fckconfig.js"; product_descriptionTextBox.EditorAreaCSS = Request.ApplicationPath + "/App_Themes/FrontTheme/Style.css"; product_descriptionTextBox.StylesXmlPath = Request.ApplicationPath + "/include/fckstyles.xml"; } } } protected void FormView1_ItemUpdating(object sender, FormViewUpdateEventArgs e) { FormViewRow row = FormView1.Row; if (FormView1.CurrentMode == FormViewMode.Edit) { //nothing relevant } }关于如何解决此问题,我的想法已用尽。我Have
这是我尝试的最后一组更改:
protected void FormView1_DataBound(object sender, EventArgs e) { FredCK.FCKeditorV2.FCKeditor purchase_reasonTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("purchase_reasonTextBox"); if (purchase_reasonTextBox != null) { purchase_reasonTextBox.CustomConfigurationsPath = Request.ApplicationPath + "/include/fckconfig.js"; purchase_reasonTextBox.EditorAreaCSS = Request.ApplicationPath + "/App_Themes/FrontTheme/Style.css"; purchase_reasonTextBox.StylesXmlPath = Request.ApplicationPath + "/include/fckstyles.xml"; } purchase_reasonTextBox.Value = GetCleanedText(rowView["purchase_reason"].ToString()); FredCK.FCKeditorV2.FCKeditor product_descriptionTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("product_descriptionTextBox"); if (product_descriptionTextBox != null) { product_descriptionTextBox.CustomConfigurationsPath = Request.ApplicationPath + "/include/fckconfig.js"; product_descriptionTextBox.EditorAreaCSS = Request.ApplicationPath + "/App_Themes/FrontTheme/Style.css"; product_descriptionTextBox.StylesXmlPath = Request.ApplicationPath + "/include/fckstyles.xml"; } product_descriptionTextBox.Value = GetCleanedText(rowView["product_description"].ToString()); } protected void FormView1_ItemUpdating(object sender, FormViewUpdateEventArgs e) { FormViewRow row = FormView1.Row; if (FormView1.CurrentMode == FormViewMode.Edit) { FredCK.FCKeditorV2.FCKeditor purchase_reasonTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("purchase_reasonTextBox"); e.NewValues["purchase_reason"] = purchase_reasonTextBox.Value; //GetCleanedText(purchase_reasonTextBox.Value); FredCK.FCKeditorV2.FCKeditor product_descriptionTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("product_descriptionTextBox"); e.NewValues["product_description"] = product_descriptionTextBox.Value; //GetCleanedText(product_descriptionTextBox.Value); } } protected void FormView1_ItemInserting(object sender, FormViewInsertEventArgs e) { Response.Write(" -- Item Inserting -- "); FormViewRow row = FormView1.Row; if (FormView1.CurrentMode == FormViewMode.Insert) { FredCK.FCKeditorV2.FCKeditor purchase_reasonTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("purchase_reasonTextBox"); e.Values["purchase_reason"] = GetCleanedText(purchase_reasonTextBox.Value); FredCK.FCKeditorV2.FCKeditor product_descriptionTextBox = (FredCK.FCKeditorV2.FCKeditor)row.FindControl("product_descriptionTextBox"); e.Values["product_description"] = GetCleanedText(product_descriptionTextBox.Value); } }我希望获得有关如何使文本框中的文本内容恢复为纯文本的任何建议,>
<FCKeditorV2:FCKeditor ID="purchase_reasonTextBox" runat="server" BasePath="~/fckeditor/" Height="150px" ToolbarSet="Request" Value='<%# Bind("purchase_reason") %>'> </FCKeditorV2:FCKeditor> <FCKeditorV2:FCKeditor ID="product_descriptionTextBox" runat="server" BasePath="~/fckeditor/" Height="150px" ToolbarSet="Request" Value='<%# Bind("product_description") %>'> </FCKeditorV2:FCKeditor>我有一个旧版Web应用程序,我需要迁移到新的Windows Server(从2008r2迁移到2019),并且一直遇到一些安全问题。主要带有富文本格式的文本框...
由于您不共享错误消息,因此我将根据富文本插件发生的常见错误为您提供答案:
从客户端检测到潜在危险的Request.Form值