How thinkphp framework effectively prevents XSS attacks

Now using the thinkphp3.1.3, it seems that this version of the Thinkphp URL and form submission by default has been filtered, because in some search boxes and URL parameters to add malicious JS script is not executed, but still do not trust, thinkphp this framework is not used for long, but XSS should now be more More, I would like to ask you have experienced greatly, with thinkphp, do what configuration, or where there are user submissions to add what filter code can make the site more effective to prevent XSS attacks

Reply content:

Now using the thinkphp3.1.3, it seems that this version of the Thinkphp URL and form submission by default has been filtered, because in some search boxes and URL parameters to add malicious JS script is not executed, but still do not trust, thinkphp this framework is not used for long, but XSS should now be more More, I would like to ask you have experienced greatly, with thinkphp, do what configuration, or where there are user submissions to add what filter code can make the site more effective to prevent XSS attacks

XSS (cross-site scripting attacks) can be used to steal other users ' cookie information, to avoid such problems, you can use the following solutions:
1. Direct filtering of all JavaScript scripts;
2. Escape HTML metacharacters, use Htmlentities, htmlspecialchars and other functions;
3. The extended function Library of the system provides the REMOVE_XSS method of XSS security filtering;
4. Some system variables for URL access are XSS-treated.

Related:
Http://www.hdj.me/thinkphp-deny-xss
Http://www.2cto.com/Article/201307/231292.html
http://www.oschina.net/question/582888_117471

function Remove_xss ($val) {//Remove all non-printable characters.  CR (0a) and LF (0b) and TAB (9) is allowed//This prevents some character re-spacing such as
  
   
   Note that you had to handle splits with \ n, \ r, and \ t later since they *are* allowed in some inputs $val = Preg   _replace ('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', ', $val); Straight replacements, the user should never need these since they ' re normal characters//This prevents like $sea   RCH = ' abcdefghijklmnopqrstuvwxyz ';   $search. = ' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';   $search. = ' 1234567890!@#$%^&* () ';   $search. = ' ~ ';:? +/={}[]-_|\ ' \ \ '; for ($i = 0; $i < strlen ($search); $i + +) {//; matches the;, which is optional//0{0,7} matches any Padde D zeros, which is optional and go up to 8 chars//@ search for the hex values $val = Preg_replace ('/(&#[ xx]0{0,8} '. Dechex (Ord ($search [$i])). /I ', $search [$i], $val);      with A; @ @ 0{0,7} matches ' 0 ' zero to seven times $val = Preg_replace ('/({0,8} '. Ord ($search [$i]). ';? ' /', $search [$i], $val);   with A;  }//Now the only remaining whitespace attacks is \ t, \ n, and \ r $ra 1 = Array (' JavaScript ', ' VBScript ', ' expression ', ' applets ', ' meta ', ' xml ', ' blink ', ' link ', ' style ', ' script ', ' embed ')   , ' object ', ' iframe ', ' frame ', ' frameset ', ' ilayer ', ' layer ', ' bgsound ', ' title ', ' base '); $ra 2 = Array (' onabort ', ' onactivate ', ' onafterprint ', ' onafterupdate ', ' onbeforeactivate ', ' onbeforecopy ', ' Onbeforecut ', ' onbeforedeactivate ', ' onbeforeeditfocus ', ' onbeforepaste ', ' onbeforeprint ', ' onbeforeunload ', ' Onbeforeupdate ', ' onblur ', ' onbounce ', ' oncellchange ', ' onchange ', ' onclick ', ' oncontextmenu ', ' oncontrolselect ', ' Oncopy ', ' oncut ', ' ondataavailable ', ' ondatasetchanged ', ' ondatasetcomplete ', ' ondblclick ', ' ondeactivate ', ' Ondrag ', ' Ondragend ', ' ondragenter ', ' ondragleave ', ' ondragover ', ' ondragstart ', ' ondrop ', ' onerror ', ' onerrorupdate ', ' Onfilterchange ', ' onfinish ', ' onfocus ', ' onfocusin ', ' onfocusout ', ' onhelp ', ' onkeydown ', ' onkeypress ', ' onkeyup ', ' Onlayoutcomplete ', ' onload ', ' onlosecapture ', ' onmousedown ', ' onmouseenter ', ' onmouseleave ', ' onmousemove ', ' onmouseout ', ' onmouseover ', ' onmouseup ', ' onmousewheel ', ' onmove ', ' onmoveend ', ' onmovestart ', ' onpaste ', ' Onpropertychange ', ' onreadystatechange ', ' onreset ', ' onresize ', ' onresizeend ', ' onresizestart ', ' onrowenter ', ' Onrowexit ', ' onrowsdelete ', ' onrowsinserted ', ' onscroll ', ' onselect ', ' onselectionchange ', ' onselectstart ', ' OnStart '   , ' OnStop ', ' onsubmit ', ' onunload ');   $ra = Array_merge ($ra 1, $ra 2); $found = true;      Keep replacing as long as the previous round replaced something while ($found = = True) {$val _before = $val;         for ($i = 0; $i < sizeof ($RA); $i + +) {$pattern = '/';               for ($j = 0; $j < strlen ($ra [$i]); $j + +) {if ($j > 0) {$pattern. = ' (';               $pattern. = ' (&#[xx]0{0,8} ([9ab]);) ';               $pattern. = ' | '; $pattern. = ' |               ({0,8} ([9|10|13]);) ';            $pattern. = ') * ';         } $pattern. = $ra [$i] [$j];         } $pattern. = '/I '; $replacemeNT = substr ($ra [$i], 0, 2). ' 
   
    
     '. substr ($ra [$i], 2);//Add in <> to nerf the tag $val = Preg_replace ($pattern, $replacement, $val);            Filter out the hex tags if ($val _before = = $val) {//No replacements were made, so exit the loop         $found = false;
}}} return $val;} 
    
   
  

When you make a contribution, I feel the red scarf in front of my chest is more vivid.

