php防御XSS攻击

WBOY
Freigeben: 2016-07-25 09:01:05
Original
1252 Leute haben es durchsucht
php防御XSS攻击,使用方法和详情看 http://www.tongqiong.com/read.php?tid-474.html
  1. function remove_xss($val) {
  2. // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
  3. // this prevents some character re-spacing such as
  4. // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
  5. $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val);
  6. // straight replacements, the user should never need these since they're normal characters
  7. // this prevents like php防御XSS攻击
  8. $search = 'abcdefghijklmnopqrstuvwxyz';
  9. $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
  10. $search .= '1234567890!@#$%^&*()';
  11. $search .= '~`";:?+/={}[]-_|\'\\';
  12. for ($i = 0; $i // ;? matches the ;, which is optional
  13. // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
  14. // @ @ search for the hex values
  15. $val = preg_replace('/([xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
  16. // @ @ 0{0,7} matches '0' zero to seven times
  17. $val = preg_replace('/(?{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
  18. }
  19. //http://www.tongqiong.com
  20. // now the only remaining whitespace attacks are \t, \n, and \r
  21. $ra1 = array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
  22. $ra2 = array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
  23. $ra = array_merge($ra1, $ra2);
  24. $found = true; // keep replacing as long as the previous round replaced something
  25. while ($found == true) {
  26. $val_before = $val;
  27. for ($i = 0; $i $pattern = '/';
  28. for ($j = 0; $j if ($j > 0) {
  29. $pattern .= '(';
  30. $pattern .= '([xX]0{0,8}([9ab]);)';
  31. $pattern .= '|';
  32. $pattern .= '|(?{0,8}([9|10|13]);)';
  33. $pattern .= ')*';
  34. }
  35. $pattern .= $ra[$i][$j];
  36. }
  37. $pattern .= '/i';
  38. $replacement = substr($ra[$i], 0, 2).''.substr($ra[$i], 2); // add in to nerf the tag
  39. $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
  40. if ($val_before == $val) {
  41. // no replacements were made, so exit the loop
  42. $found = false;
  43. }
  44. }
  45. }
  46. return $val;
  47. }
复制代码


Verwandte Etiketten:
Quelle:php.cn
Erklärung dieser Website
Der Inhalt dieses Artikels wird freiwillig von Internetnutzern beigesteuert und das Urheberrecht liegt beim ursprünglichen Autor. Diese Website übernimmt keine entsprechende rechtliche Verantwortung. Wenn Sie Inhalte finden, bei denen der Verdacht eines Plagiats oder einer Rechtsverletzung besteht, wenden Sie sich bitte an admin@php.cn
Beliebte Tutorials
Mehr>
Neueste Downloads
Mehr>
Web-Effekte
Quellcode der Website
Website-Materialien
Frontend-Vorlage