流传的移除XSS攻击的php函数 The goal of this function is to be a generic function that can be used to parse almost any input and render it XSS safe. For more information on actual XSS attacks, check out http://ha.ckers.org/xss.html. Another
流传的移除XSS攻击的php函数
The goal of this function is to be a generic function that can be used to parse almost any input and render it XSS safe. For more information on actual XSS attacks, check out http://ha.ckers.org/xss.html. Another excellent site is the XSS Database which details each attack and how it works.
<?php /** * Usage: Run *every* variable passed in through it. * The goal of this function is to be a generic function that can be used to * parse almost any input and render it XSS safe. For more information on * actual XSS attacks, check out http://ha.ckers.org/xss.html. Another * excellent site is the XSS Database which details each attack and how it * works. * * Used with permission by the author. * URL: http://quickwired.com/smallprojects/php_xss_filter_function.php * * License: * This code is public domain, you are free to do whatever you want with it, * including adding it to your own project which can be under any license. * * $Id: RemoveXSS.php 2663 2007-11-05 09:22:23Z ingmars $ * * @author Travis Puderbaugh <kallahar@quickwired.com> * @package RemoveXSS */ class RemoveXSS { /** * Wrapper for the RemoveXSS function. * Removes potential XSS code from an input string. * * Using an external class by Travis Puderbaugh <kallahar> * * @param string Input string * @return string Input string with potential XSS code removed */ function RemoveXSS($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <img src="http://www.iamle.com/archives/&#X40avascript:alert('XSS')>%0A%09%09%24search%20=%20" for strlen matches the which is optional any padded zeros are and go up to chars search hex values preg_replace with a zero seven times now only remaining whitespace attacks array array_merge true keep replacing as long previous round replaced something while sizeof if alt="PHP通用的XSS攻击过滤函数,Discuz系统中 防止XSS漏洞攻击,过滤" > 0) { $pattern .= '('; $pattern .= '([x|X]0{0,8}([9][a][b]);?)?'; $pattern .= '|({0,8}([9][10][13]);?)?'; $pattern .= ')?'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; } } ?></x></java></kallahar>
Discuz系统中 防止XSS漏洞攻击,过滤HTML危险标签属性的PHP函数
//屏蔽html function checkhtml($html) { $html = stripslashes($html); if(!checkperm('allowhtml')) { preg_match_all("//is", $html, $ms); $searchs[] = ''; $replaces[] = '>'; if($ms[1]) { $allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br |p|b|strong|i|u|em|span|ol|ul|li|blockquote |object|param|embed';//允许的标签 $ms[1] = array_unique($ms[1]); foreach ($ms[1] as $value) { $searchs[] = ""; $value = shtmlspecialchars($value); $value = str_replace(array('\','/*'), array('.','/.'), $value); $skipkeys = array( 'onabort','onactivate','onafterprint','onafterupdate', 'onbeforeactivate','onbeforecopy','onbeforecut', 'onbeforedeactivate','onbeforeeditfocus','onbeforepaste', 'onbeforeprint','onbeforeunload','onbeforeupdate', 'onblur','onbounce','oncellchange','onchange', 'onclick','oncontextmenu','oncontrolselect', 'oncopy','oncut','ondataavailable', 'ondatasetchanged','ondatasetcomplete','ondblclick', 'ondeactivate','ondrag','ondragend', 'ondragenter','ondragleave','ondragover', 'ondragstart','ondrop','onerror','onerrorupdate', 'onfilterchange','onfinish','onfocus','onfocusin', 'onfocusout','onhelp','onkeydown','onkeypress', 'onkeyup','onlayoutcomplete','onload', 'onlosecapture','onmousedown','onmouseenter', 'onmouseleave','onmousemove','onmouseout', 'onmouseover','onmouseup','onmousewheel', 'onmove','onmoveend','onmovestart','onpaste', 'onpropertychange','onreadystatechange','onreset', 'onresize','onresizeend','onresizestart', 'onrowenter','onrowexit','onrowsdelete', 'onrowsinserted','onscroll','onselect', 'onselectionchange','onselectstart','onstart', 'onstop','onsubmit','onunload','javascript', 'script','eval','behaviour','expression', 'style','class' ); $skipstr = implode('|', $skipkeys); $value = preg_replace(array("/($skipstr)/i"), '.', $value); if(!preg_match("/^[/|s]?($allowtags)(s+|$)/is", $value)) { $value = ''; } $replaces[] = empty($value)?'':""; } } $html = str_replace($searchs, $replaces, $html); } $html = addslashes($html); return $html; }
原文地址:PHP通用的XSS攻击过滤函数,Discuz系统中 防止XSS漏洞攻击,过滤HTML危险标签属性的P, 感谢原作者分享。