我正在编写用于处理验证的预逻辑,如果发现任何xss攻击,它将对请求值进行编码。我正在使用AntiXSS进行编码。我可以通过两种方式完成任务:
现在,我想创建一个自定义动作过滤器来编写前置逻辑。但是我无法获取需要编码的请求参数。下面是我使用的代码:
public class InputValidationCheck : ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
dynamic dynamicJson = JsonConvert.DeserializeObject(actionContext.Request.Content.ReadAsStringAsync().Result);
//using regex to match the pattern for the Json request object and directly replacing and encoding the desired value
string regexPattern = "(?<=: \")[^\",\r\n]*";
System.Text.RegularExpressions.Regex rgx = new System.Text.RegularExpressions.Regex(regexPattern);
//using REGEX's replace function to find the matching pattern and then replace the value with the encoded value
dynamicJson = rgx.Replace(dynamicJson.ToString(), new MatchEvaluator((m) => { return Encoder.HtmlEncode(m.ToString()); }));
//changing the request content with the modified request with header type as "application/json"
actionContext.Request.Content = new StringContent(dynamicJson,
System.Text.Encoding.UTF8,
"application/json");//CONTENT-TYPE header
Core.Logging.LogManager.LogVerbose(actionContext.Request.Content.ReadAsStringAsync().Result);
//return response;
//return base.ExecuteAsync(actionContext, cancellationToken);
}
}
我尝试了 actionContext.Request.Content.ReadAsStringAsync()。Result ,但是我无法从中获取请求参数值。知道我在做什么错吗?
更新 我使用了 actionContext.ActionArguments.Values 来获取参数。它的计数为1。但是如何在我的代码中使用它呢?