最近在開(kāi)發(fā)一個(gè)項(xiàng)目的時(shí)候。需要做留言功能。并且客戶要求可以在留言里發(fā)表情。就像qq 表情那樣的。 于是使用了 xheditor 編輯器 。有用怕被加入如 js 腳本。于是 找了如下的代碼來(lái)進(jìn)行過(guò)濾。 ?//刪 除腳本??????????? Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase); ??????????? //刪 除HTML??????????? Htmlstring = Regex.Replace(Htmlstring, @"([\r\n])[\s]+", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"-->", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase); ??????????? Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "\"", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);", " ", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);", "\xa1", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);", "\xa2", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);", "\xa3", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);", "\xa9", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, @"&#(\d+);", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, "delete from", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, "drop table", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, "truncate", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, "asc", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, "exec master", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, "net localgroup administrators", "", RegexOptions.IgnoreCase);??????????? Htmlstring = Regex.Replace(Htmlstring, "net user", "", RegexOptions.IgnoreCase); ??????????????????? Htmlstring = Htmlstring.Replace("*", "");?????????????????? Htmlstring = Htmlstring.Replace(";", "");??????????? Htmlstring = Htmlstring.Replace("*/", "");??????????? Htmlstring = Htmlstring.Replace("\r\n", "");??????????? ?????????? Htmlstring = HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim(); ? 結(jié)果發(fā)現(xiàn)通過(guò)編輯器傳進(jìn)去的值中的 <script> 類似這樣的標(biāo)簽以及被現(xiàn)實(shí)成了。?&amp;lt;script&amp;gt; 這個(gè)樣子。 而img 標(biāo)簽則保持原樣 沒(méi)有改變 插入的圖片 還是 <img src=''?>這個(gè)樣子的。? 然而通過(guò)這段代碼 過(guò)濾后并使用HtmlEncode 進(jìn)行編碼后。好像 返回的值 卻變成了&lt;script&gt; 這個(gè)樣子。 然后頁(yè)面執(zhí)行的時(shí)候 還是會(huì)把這個(gè)代碼當(dāng)成了 js標(biāo)簽來(lái)執(zhí)行。而不是現(xiàn)實(shí)出來(lái)。?? 如果我沒(méi)采用上面的過(guò)濾方法 而是直接 使用 HtmlEncode 進(jìn)行編碼。后。則不會(huì)吧代碼當(dāng)成js 來(lái)執(zhí)行 而是會(huì)顯示成<script> 在頁(yè)面上。這里還是有的 糊涂。不知道是怎么回事。。高手幫忙解釋下。