using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using System.Data;
using System.Data.SqlClient;
using System.Text.RegularExpressions;
using System.Web;
/// <summary>
/// 清理HTML内容,防止XSS攻击
/// </summary>
/// <param name="input">输入字符串</param>
/// <returns>清理后的安全字符串</returns>
private string Sanitize(string input)
{
if (string.IsNullOrEmpty(input))
return string.Empty;
// 移除所有HTML标签
string sanitized = Regex.Replace(input, "<\^\>*>", "");
// 编码HTML特殊字符
sanitized = HttpUtility.HtmlEncode(sanitized);
// 移除可能的JavaScript代码
sanitized = Regex.Replace(sanitized, @"javascript:", "", RegexOptions.IgnoreCase);
sanitized = Regex.Replace(sanitized, @"on\w+\s*=", "", RegexOptions.IgnoreCase);
// 移除SQL注入相关的字符
sanitized = Regex.Replace(sanitized, @"'"";", "");
// 移除多余的空格
sanitized = Regex.Replace(sanitized, @"\s+", " ").Trim();
return sanitized;
}
// 从dynamic对象中提取参数
string emali = pro.emali?.ToString() ?? "";
string name = pro.name?.ToString() ?? "";
string phone = pro.phone?.ToString() ?? "";
string describe = pro.describe?.ToString() ?? "";
string type = pro.type?.ToString() ?? "";
string userids = pro.userid?.ToString() ?? "";
// 清理输入参数,防止XSS攻击
string em = Sanitize(emali);
string cleanName = Sanitize(name);
string cleanPhone = Sanitize(phone);
string cleanDescribe = Sanitize(describe);
string cleanType = Sanitize(type);
string cleanUserid = Sanitize(userids);