How php implements XSS Security Filtering

This article mainly introduces the method of implementing XSS Security filtering in php. The example analyzes the related techniques of php for XSS Security filtering, which has some reference value. For more information, see

This article mainly introduces the method of implementing XSS Security filtering in php. The example analyzes the related techniques of php for XSS Security filtering, which has some reference value. For more information, see

This example describes how to implement XSS Security filtering in php. Share it with you for your reference. The details are as follows:

Function remove_xss ($ val) {// remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) are allowed // this prevents some character re-spacing such // Note that you have to handle splits with \ n, \ r, and \ t later since they * are * allowed in some inputs $ val = preg_replace ('/([\ x00-\ x08, \ x0b-\ x0c, \ x0e-\ x19])/', '', $ val); // straight replacements, the user shoshould never need these since they're normal characters // this prevents like $ search = 'abcdefghijklmnopqrstuvwxy'; $ search. = 'abcdefghijklmnopqrstuvwxy'; $ search. = '000000! @ # $ % ^ & * () '; $ Search. = '~ '";:? +/= {} []-_ | \ '; For ($ I = 0; $ I <strlen ($ search); $ I ++) {//;? Matches the;, which is optional // 0 {0, 7} matches any padded zeros, which are optional and go up to 8 chars // @ search for the hex values $ val = preg_replace ('/(& # [xX] 0 {0, 8 }'. dechex (ord ($ search [$ I]). ';?) /I ', $ search [$ I], $ val); // with; // @ 0 {} matches '0' zero to seven times $ val = preg_replace }'. ord ($ search [$ I]). ';?) /', $ Search [$ I], $ val); // with a;} // now the only remaining whitespace attacks are \ t, \ n, and \ r $ ra1 = array ('javascript ', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink ', 'link ', 'style', 'script', 'embed ', 'object', 'iframe', 'frameset', 'ilayer', 'lay', 'bgsound ', 'title', 'base'); $ ra2 = array ('onabport', 'onactivate', 'onafterprint ', 'onafterupdat', 'onbeforeactivate', 'onbeforecopy ', 'onbeforecut', 'signature', 'onbeforeeditfocal ', 'onbeforepaste', 'onbeforepaster', 'onbeforeupdate', 'onblur', 'onbounce ', 'oncellchange ', 'onchange', 'onclick', 'ontextmenu ', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged ', 'ondatasetcomplete', 'ondblclick ', 'onactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave ', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdat ', 'onfilterchang', 'onfinish ', 'oncorout', 'onfocusin', 'onfoocout', 'onhelp', 'onkeylow', 'onkeylist', 'onkeyup', 'onlayoutcomplete ', 'onload', 'onlosecapture ', 'onmousedown', 'onmouseenter', 'onmouseleave ', 'onmousemove', 'onmouseout', 'onmouseover ', 'onmouseup', 'onmousewheel ', 'onmove ', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychang', 'onreadystatechang', 'onreset', 'onresizestart ', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselectionchang', 'onselectstart', 'onstart', 'onstop', 'onstop ', 'onsubmit ', 'onunload'); $ ra = array_merge ($ ra1, $ ra2); $ found = true; // keep replacing as long as the previous round replaced something while ($ found = true) {$ val_before = $ val; for ($ I = 0; $ I <sizeof ($ ra); $ I ++) {$ pattern =' http://www.jb51.net/ '; For ($ j = 0; $ j <strlen ($ ra [$ I]); $ j ++) {if ($ j> 0) {$ pattern. = '('; $ pattern. = '(& # [xX] 0 {0, 8} ([9ab]);)'; $ pattern. = '|'; $ pattern. = '| (� {} ([9 | 10 | 13]);)'; $ pattern. = ') *';} $ pattern. = $ ra [$ I] [$ j];} $ pattern. = '/I'; $ replacement = substr ($ ra [$ I], 0, 2 ).' '. Substr ($ ra [$ I], 2); // add in <> to nerf the tag $ val = preg_replace ($ pattern, $ replacement, $ val ); // filter out the hex tagsif ($ val_before ==$ val) {// no replacements were made, so exit the loop $ found = false ;}} return $ val ;}

I hope this article will help you with php programming.

,