PHP CodeBase: PHP function used to filter XSS attacks

So how does the PHP site defend against XSS attacks? The following functions can be used to filter user input to ensure that the input is XSS safe. For more information about how to filter data, see the function and add comments. <? Phpfunction RemoveXSS ($ val) {// remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) are allowed // this prevents some character re-spacing such as <java \ 0 script> // note that you have to handle splits with \ n, \ r, and \ t later since they * are * allowed in some inputs $ val = preg_replace ('/([\ x00-\ x08, \ x0b-\ x0c, \ x0e-\ x19])/', '', $ val); // straight replacements, the user shoshould never n Eed these since they're normal characters // this prevents like $ search = 'abcdefghijklmnopqrstuvwxy'; $ search. = 'abcdefghijklmnopqrstuvwxy'; $ search. = '000000! @ # $ % ^ & * () '; $ Search. = '~ '";:? +/= {} []-_ | \ '; Www.2cto.com for ($ I = 0; $ I <strlen ($ search); $ I ++) {//;? Matches the;, which is optional // 0 {0, 7} matches any padded zeros, which are optional and go up to 8 chars // @ search for the hex values $ val = preg_replace ('/(& # [xX] 0 {0, 8 }'. dechex (ord ($ search [$ I]). ';?) /I ', $ search [$ I], $ val); // with; // @ 0 {} matches '0' zero to seven times $ val = preg_replace ('/(& #0 }'. ord ($ search [$ I]). ';?) /', $ Search [$ I], $ val); // with a;} // now the only remaining whitespace attacks are \ t, \ n, and \ r $ ra1 = Array ('javascript ', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink ', 'link ', 'style', 'script', 'embed ', 'object', 'iframe', 'frameset', 'ilayer', 'lay', 'bgsound ', 'title', 'base'); $ ra2 = Array ('onabport', 'onactivate', 'onafterprint ', 'onafterupdat', 'onbeforeactivat E ', 'onbeforecopy', 'onbeforecut', 'weight', 'onbeforeeditfocal', 'onbeforepaste ', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdat', 'onblur ', 'onbounce ', 'oncellchang', 'onchange', 'onclick', 'ontextmenu', 'oncontrolselect', 'oncopy', 'oncut ', 'ondataavailable', 'ondatasetchanged ', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragl Eave ', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdat', 'onfilterchang', 'onfinish', 'ondetail', 'onfocusin ', 'onfocusout', 'onhelp', 'onkeylow', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture ', 'onmouselow', 'onmouseenter ', 'onmouseleave ', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel ', 'onmove', 'onmoveend', 'onmovestart', 'onpa Ste ', 'onpropertychang', 'onreadystatechang', 'onreset', 'onsize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowsdelete ', onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload '); $ ra = array_merge ($ ra1, $ ra2); $ found = true; // keep replacing as long as the previous round replaced something while ($ found = = True) {$ val_before = $ val; for ($ I = 0; $ I <sizeof ($ ra); $ I ++) {$ pattern = '/'; for ($ j = 0; $ j <strlen ($ ra [$ I]); $ j ++) {if ($ j> 0) {$ pattern. = '('; $ pattern. = '(& # [xX] 0 {0, 8} ([9ab]);)'; $ pattern. = '|'; $ pattern. = '| (& #0 {0, 8} ([9 | 10 | 13]);)'; $ pattern. = ') *';} $ pattern. = $ ra [$ I] [$ j];} $ pattern. = '/I'; $ replacement = substr ($ ra [$ I], 0, 2 ). '<x> '. substr ($ ra [$ I], 2); // add in <> to ner F the tag $ val = preg_replace ($ pattern, $ replacement, $ val); // filter out the hex tags if ($ val_before = $ val) {// no replacements were made, so exit the loop $ found = false ;}} return $ val ;}?> PHP CodeBase code library plan. Generally, one function is collected at a time to solve a problem.