There are many ways to launch XSS attacks on a Web site, and just using some of the built-in filter functions of PHP is not going to work, even if you will Filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars , strip_tags These functions are used and do not necessarily guarantee absolute security.
So how to prevent XSS injection? The main still needs to be considered in the user data filtering, here is not a complete summary of a few Tips
1. Assume that all user input data is "evil"
2. Weakly typed scripting languages must be consistent in type and expectation
3. Thoughtful regular expressions
4. Functions such as strip_tags and htmlspecialchars are very useful
5. External Javascript is not necessarily reliable
6. Quote filter must focus attention
7. Remove unnecessary HTML annotations
8. Exploer Please let me go ...
Method one, using PHP htmlentities function
Example
PHP prevents XSS cross-site scripting attacks by using the Htmlspecialchars () function for illegal HTML code including single double quotes.
When using the Htmlspecialchars () function, note that the second parameter, directly with Htmlspecialchars ($string), the second parameter is Ent_compat, the default is to convert double quotes ("), do not escape single quotes (') .
So, the Htmlspecialchars function should be added with the second parameter, which should be done in this way: Htmlspecialchars ($string, ent_quotes). Of course, if you need to not convert how the quotes, Use Htmlspecialchars ($string, ent_noquotes).
In addition, as little as possible with htmlentities, in all English htmlentities and htmlspecialchars no difference, can achieve the goal. In Chinese, however, Htmlentities transforms all the HTML code, Along with the inside of its unrecognized Chinese characters are also converted.
Htmlentities and Htmlspecialchars These two functions are not good for string support, and cannot be transformed, so strings converted with htmlentities and htmlspecialchars can only prevent XSS attacks. Cannot prevent SQL injection attacks.
All printed statements, such as Echo,print, should be filtered using htmlentities () before printing, thus preventing XSS and htmlentities ($name, ent_noquotes,gb2312) to be written in Chinese.
Method Two and nothing more said we give a function
Example
function Xss_clean ($data) {//Fix &entity\n;
$data =str_replace (' & ', ' < ', ' > '), Array (' & ', ' < ', ' > '), $data);
$data =preg_replace ('/(&#*\w+) [\x00-\x20]+;/u ', ' $; ', $data);
$data =preg_replace ('/(& #x *[0-9a-f]+); */iu ', ' $ ', $data);
$data =html_entity_decode ($data, Ent_compat, ' UTF-8 '); Remove any attribute starting with "on" or xmlns $data =preg_replace (' # <[^>]+?[ \x00-\x20 "\") (?: O
N|XMLNS) [^>]*+> #iu ', ' $1> ', $data); Remove Javascript:and vbscript:protocols $data =preg_replace (' # (a-z]*) [\x00-\x20]*=[\x00-\x20]* ([' \ ' "]*)] [ \x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[
\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2nojavascript ... ', $data); $data =preg_replace (' # ([a-z]*) [\x00-\x20]*= ([\]]*) [\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[
\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2novbscript ... ', $data); $data =preg_replace ([a-z]*) [\x00-\x20]*= ([\ ' "]*) [\x00-\x20]*-moz-binding[\x00-\x20]*: #u ', ' $1=$2nomozbinding ... ', $data); Only works in IE: <span style= "width:expression (Alert (' ping! '));" ></span> $data =preg_replace (' # (<[^>]+?)
Style[\x00-\x20]*=[\x00-\x20]*[']*.*?expression[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_replace (' # (<[^>]+?)
Style[\x00-\x20]*=[\x00-\x20]*[']*.*?behaviour[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[
\x00-\x20]*:* [^>]*+> #iu ', ' $1> ', $data);
Remove namespaced elements (we don't need them) $data =preg_replace (' #</*\w+:\w[^>]*+> #i ', ', $data);
do{//Remove really unwanted tags $old _data= $data; $data =preg_replace (' #</*: applet|b (?: Ase|gsound|link) |embed|frame (?: Set)? |
I (?: Frame|layer) |l (?: Ayer|ink) |meta|object|s (?: Cript|tyle) |title|xml) [^>]*+> #i ', ', $data); }while ($old_data!== $data);
We are done ... return $data;
}
Method Three:
<?php//php Universal filtering for anti-injection and XSS attacks.
by qq:831937 $_get && Safefilter ($_get);
$_post && Safefilter ($_post);
$_cookie && Safefilter ($_cookie); Function Safefilter (& $arr) {$ra =array ('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '/script/', '/javascript/', '/vbs cript/', '/expression/', '/applet/', '/meta/', '/xml/', '/blink/', '/link/', '/style/', '/embed/', '/object/', '/frame/' , '/layer/', '/title/', '/bgsound/', '/base/', '/onload/', '/onunload/', '/onchange/', '/onsubmit/', '/onreset/', ' onselect/', '/onblur/', '/onfocus/', '/onabort/', '/onkeydown/', '/onkeypress/', '/onkeyup/', '/onclick/', '
ondblclick/', '/onmousedown/', '/onmousemove/', '/onmouseout/', '/onmouseover/', '/onmouseup/', '/onunload/';
if (Is_array ($arr)) {foreach ($arr as $key => $value) {if (!is_array ($value)) {
if (!GET_MAGIC_QUOTES_GPC ())//Does not use Addslashes () for MAGIC_QUOTES_GPC escaped characters, avoid double escaping. {$value = addslashes ($value); Give single quotes ('), double quotes ("), backslashes (\) and NUL (NULL characters) plus backslash escape} $value = Preg_replace ($ra, ', $value); Remove nonprinting characters, rudely filter XSS suspicious strings $arr [$key] = Htmlentities (Strip_tags ($value));
Remove HTML and PHP tags and convert to HTML entity} else {safefilter ($arr [$key]);
}}}?>