_php tutorial on preventing XSS cross-site scripting attacks with PHP programming

Many of the domestic forums have cross-site scripting vulnerabilities, foreign also a lot of such examples, even Google has appeared, but in early December amended. (Editor's note: For cross-site scripting vulnerability attacks, readers can refer to the "detailed XSS cross-site Scripting attack"). Cross-site attacks are easy to construct, and are very discreet, and are not easily Chage (usually after stealing information and jumping back to the original page).

How to attack, here do not explain (and don't ask me), mainly talk about how to prevent. First, cross-site scripting attacks are caused by the lack of strict filtering of the user's input, so we must intercept the possible dangers before all data enters our website and database. For illegal HTML code including single and double quotes, you can use Htmlentities ().

Bold BoldEcho htmlentities ($str, ent_quotes);? >

This will invalidate the illegal script.

Note, however, that the default encoding for Htmlentities () is iso-8859-1, and if your illegal script is encoded as something else, it may not be filtered out and the browser can recognize and execute it. I'll find a few sites to test this problem.

Here is a function for filtering out illegal scripts:

function Removexss ($val) {//Remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) is allowed//This prevents some character re-spacing such as <javascript>//Note that yo U has to handle splits W N, R, and T later Sincethey *are* allowed in some inputs $val = Preg_replace ('/([x00-x08][x0 　B-X0C][X0E-X20])/', ', $val); Straight replacements, the user should never need these since they ' re normal characters//This prevents like $search = ' abcdefghijklmnopqrstuvwxyz '; 　$search. = ' ABCDEFGHIJKLMNOPQRSTUVWXYZ '; 　$search. = ' 1234567890!@#$%^&* () '; $search. = ' ~ ' ";:? +/={}[]-_| ' 　\'; for ($i = 0; $i strlen ($search); $i + +) {//; matches the;, which is optional//0{0,7} matches any padded zeros, whic H is optional and go up to 8 chars//@ search for the hex values $val = Preg_replace ('/(&#[x| x]0{0,8} '. Dechex (Ord ($search [$i])). /I ', $search [$i], $val); with A; @ @ 0{0,7} matches ' 0 ' zero to seven TimEs $val = preg_replace ('/({0,8} '. Ord ($search [$i]). /', $search [$i], $val); 　with A; }//Now the only remaining whitespace attacks is T, N, and r $ra 1 = Array (' javascript ', ' VBScript ', ' expression ', ' app Let ', ' meta ', ' xml ', ' blink ', ' link ', ' style ', ' script ', ' embed ', ' object ', ' iframe ', ' frame ', ' frameset ', ' ilayer ', ' Laye R ', ' Bgsound ', ' title ', ' base '); $ra 2 = Array (' onabort ', ' onactivate ', ' onafterprint ', ' onafterupdate ', ' onbeforeactivate ', ' onbeforecopy ', ' Onbeforecut ', ' onbeforedeactivate ', ' onbeforeeditfocus ', ' onbeforepaste ', ' onbeforeprint ', ' onbeforeunload ', ' Onbeforeupdate ', ' onblur ', ' onbounce ', ' oncellchange ', ' onchange ', ' onclick ', ' oncontextmenu ', ' oncontrolselect ', ' Oncopy ', ' oncut ', ' ondataavailable ', ' ondatasetchanged ', ' ondatasetcomplete ', ' ondblclick ', ' ondeactivate ', ' Ondrag ', ' Ondragend ', ' ondragenter ', ' ondragleave ', ' ondragover ', ' ondragstart ', ' ondrop ', ' onerror ', ' onerrorupdate ', ' Onfilterchange ', ' onfinish ', ' onfocus ', ' onfocusin ', ' onfocusout ', ' onHelp ', ' onkeydown ', ' onkeypress ', ' onkeyup ', ' onlayoutcomplete ', ' onload ', ' onlosecapture ', ' onmousedown ', ' Onmouseenter ', ' onmouseleave ', ' onmousemove ', ' onmouseout ', ' onmouseover ', ' onmouseup ', ' onmousewheel ', ' onmove ', ' Onmoveend ', ' onmovestart ', ' onpaste ', ' onpropertychange ', ' onreadystatechange ', ' onreset ', ' onresize ', ' onresizeend ', ' Onresizestart ', ' onrowenter ', ' onrowexit ', ' onrowsdelete ', ' onrowsinserted ', ' onscroll ', ' onselect ', ' 　Onselectionchange ', ' onselectstart ', ' onstart ', ' onstop ', ' onsubmit ', ' onunload '); 　$ra = Array_merge ($ra 1, $ra 2); $found = true; Keep replacing as long as the previous round replaced something while ($found = = True) {$val _before = $val; for ($i = 0; $i, sizeof ($RA); 　$i + +) {$pattern = '/'; 　for ($j = 0; $j strlen ($ra [$i]), $j + +) {if ($j-0) {$pattern. = ' ('; $pattern. = ' (&#[x| 　x]0{0,8} ([9][a][b]);?)?; $pattern. = ' | 　({0,8} ([9][10][13]);?)? "; $pattern. = ')? '; } $pattern. = $ra [$i] [$j]; } $pattern. = '/I '; $replacement = substr ($ra[$i], 0, 2). ' <x> '. substr ($ra [$i], 2); Add in <> to nerf the tag $val = Preg_replace ($pattern, $replacement, $val); 　Filter out the hex tags if ($val _before = = $val) {//No replacements were made, so exit the loop $found = false;} } } }

http://www.bkjia.com/PHPjc/446770.html www.bkjia.com true http://www.bkjia.com/PHPjc/446770.html techarticle Many of the domestic forums have cross-site scripting vulnerabilities, foreign also a lot of such examples, even Google has appeared, but in early December amended. (Editor's note: About Cross-site scripting vulnerability attacks ...)

