From 4e2e65f5dd27eef4ded659d5c4035bfbbd335658 Mon Sep 17 00:00:00 2001
From: csxiaoyaojianxian <1724338257@qq.com>
Date: Thu, 7 Sep 2017 17:33:40 +0800
Subject: [PATCH] =?UTF-8?q?js=E5=AE=89=E5=85=A8=E8=BF=87=E6=BB=A4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../filter.js" | 109 ++++++++++++++++++
1 file changed, 109 insertions(+)
create mode 100644 "04-\345\270\270\347\224\250\345\212\237\350\203\275/06-\345\256\211\345\205\250\350\277\207\346\273\244\345\231\250/filter.js"
diff --git "a/04-\345\270\270\347\224\250\345\212\237\350\203\275/06-\345\256\211\345\205\250\350\277\207\346\273\244\345\231\250/filter.js" "b/04-\345\270\270\347\224\250\345\212\237\350\203\275/06-\345\256\211\345\205\250\350\277\207\346\273\244\345\231\250/filter.js"
new file mode 100644
index 000000000..b041805cf
--- /dev/null
+++ "b/04-\345\270\270\347\224\250\345\212\237\350\203\275/06-\345\256\211\345\205\250\350\277\207\346\273\244\345\231\250/filter.js"
@@ -0,0 +1,109 @@
+/*
+* @Author: victorsun
+* @Date: 2017-09-07 14:12:02
+* @Last Modified by: victorsun
+* @Last Modified time: 2017-09-09 14:12:02
+*/
+
+
+/*
+url转向验证
+描述:对通过javascript语句载入(或转向)的页面进行验证,防止转到第三方网页和跨站脚本攻击
+返回值:true -- 合法;false -- 非法
+例:
+合法的值
+ http://xxx.csxiaoyao.com/hi/redirect.html?url=http://www.csxiaoyao.com
+ http://xxx.csxiaoyao.com/hi/redirect.html?url=a.html
+ http://xxx.csxiaoyao.com/hi/redirect.html?url=/a/1.html
+非法的值
+ http://xxx.csxiaoyao.com/hi/redirect.html?url=http://www.baidu.com
+ http://xxx.csxiaoyao.com/hi/redirect.html?url=javascript:codehere
+ http://xxx.csxiaoyao.com/hi/redirect.html?url=//www.csxiaoyao.com
+*/
+function VaildURL(sUrl)
+{
+ return (/^(https?:\/\/)?[\w\-.]+\.(csxiaoyao|sunshinestudio)\.(com|cn)($|\/|\\)/i).test(sUrl)||(/^[\w][\w\/\.\-_%]+$/i).test(sUrl)||(/^[\/\\][^\/\\]/i).test(sUrl) ? true : false;
+}
+
+//html正文编码:对需要出现在HTML正文里(除了HTML属性外)的不信任输入进行编码
+function HtmlEncode(sStr)
+{
+ sStr = sStr.replace(/&/g,"&");
+ sStr = sStr.replace(/>/g,">");
+ sStr = sStr.replace(/");
+ sStr = sStr.replace(/</g,"<");
+ sStr = sStr.replace(/"/g,'"');
+ sStr = sStr.replace(/'/g,"'");
+ return sStr;
+}
+
+/*
+html属性编码:对需要出现在HTML属性里的不信任输入进行编码
+注意:
+(1)该函数不适用于属性为一个URL地址的编码.这些标记包括:a/img/frame/iframe/script/xml/embed/object...
+属性包括:href/src/lowsrc/dynsrc/background/...
+(2)该函数不适用于属性名为 style="[Un-trusted input]" 的编码
+*/
+function HtmlAttributeEncode(sStr)
+{
+ sStr = sStr.replace(/&/g,"&");
+ sStr = sStr.replace(/>/g,">");
+ sStr = sStr.replace(/Click Here!
+以下字符将会被编码:
+除[a-zA-Z0-9.-_]以外的字符都会被替换成URL编码
+*/
+function UriComponentEncode(sStr)
+{
+ sStr = encodeURIComponent(sStr);
+ sStr = sStr.replace(/~/g,"%7E");
+ sStr = sStr.replace(/!/g,"%21");
+ sStr = sStr.replace(/\*/g,"%2A");
+ sStr = sStr.replace(/\(/g,"%28");
+ sStr = sStr.replace(/\)/g,"%29");
+ sStr = sStr.replace(/'/g,"%27");
+ sStr = sStr.replace(/\?/g,"%3F");
+ sStr = sStr.replace(/;/g,"%3B");
+ return sStr;
+}
+
+
+//用做过滤HTML标签里面的 比如这个例子里的 XXXX就是要过滤的
+String.prototype.escHtmlEp = function() { return this.replace(/[&'"<>\/\\\-\x00-\x1f\x80-\xff]/g, function(r){ return ""+r.charCodeAt(0)+";" }); };
+
+//用做过滤直接放到HTML里的
+String.prototype.escHtml = function() { return this.replace(/[&'"<>\/\\\-\x00-\x09\x0b-\x0c\x1f\x80-\xff]/g, function(r){ return ""+r.charCodeAt(0)+";" }).replace(/\r\n/g, "
").replace(/\n/g, "
").replace(/\r/g, "
").replace(/ /g, " "); };
+
+//用做过滤直接放到HTML里js中的
+String.prototype.escScript = function() { return this.replace(/[\\"']/g, function(r){ return "\\"+r; }).replace(/%/g, "\\x25").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\x01/g, "\\x01"); };
+
+//用做过滤直接URL参数里的 比如 http://show8.qq.com/abc_cgi?a=XXX XXX就是要过滤的
+String.prototype.escUrl = function() { return escape(this).replace(/\+/g, "%2B"); };
+
+//用做过滤直接放到中的
+String.prototype.escHrefScript = function() { return this.escScript().escMiniUrl().escHtmlEp(); };
+
+//用做过滤直接放到正则表达式中的
+String.prototype.escRegexp = function() { return this.replace(/[\\\^\$\*\+\?\{\}\.\(\)\[\]]/g, function(a,b){ return "\\"+a; }); };
+