There are many ways to launch an XSS attack on your Web site, and just using some of the built-in filter functions of PHP is not a good deal, even if you will Filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars , strip_tags These functions are used or not guaranteed to be absolutely secure.
So how do you prevent XSS injections? The main still needs to be considered in the user data filtering, here is not a complete summary of the next few Tips
1. Assume that all user input data is "evil"
2. Weakly typed scripting languages must be consistent in type and expectation
3. Thoughtful regular expressions
4. Functions such as strip_tags and htmlspecialchars are very useful
5. External Javascript is not necessarily reliable
6. It is important to note that the quotation marks are filtered
7. Remove unnecessary HTML comments
8. Exploer Please let me go ...
Method one, using PHP htmlentities function
PHP prevents XSS Cross-site scripting attacks by using the Htmlspecialchars () function for illegal HTML code including single and double quotes.
When using the Htmlspecialchars () function, note the second argument, directly with the Htmlspecialchars ($string), the second parameter is Ent_compat, the function defaults to only the conversion of double quotation marks ("), do not escape the single quotation mark (') .
So, the Htmlspecialchars function has more time to add the second parameter, which should be used: Htmlspecialchars ($string, ent_quotes). Of course, if you need not convert how the quotation marks, With Htmlspecialchars ($string, ent_noquotes).
In addition, as far as possible to use Htmlentities, in all English time htmlentities and htmlspecialchars no difference, can achieve the goal. However, in Chinese, htmlentities translates all HTML code, Along with its unrecognized Chinese characters are also converted.
Htmlentities and Htmlspecialchars These two functions of the "string support is not good, can not be converted, so with htmlentities and Htmlspecialchars converted strings can only prevent XSS attacks, Cannot prevent SQL injection attacks.
All printed statements, such as Echo,print, should be filtered using htmlentities () before printing, which prevents XSS, note that the Chinese will write Htmlentities ($name, ent_noquotes,gb2312).
Method Two, nothing more to say we give a function
functionXss_clean ($data){ //Fix &entity\n; $data=Str_replace(Array(' & ', ' < ', ' > '),Array(' & ', ' < ', ' > '),$data); $data=Preg_replace('/(&#*\w+) [\x00-\x20]+;/u ', ' $ $; ',$data); $data=Preg_replace('/(& #x *[0-9a-f]+); */iu ', ' $ $; ',$data); $data=Html_entity_decode($data, Ent_compat, ' UTF-8 '); //Remove any attribute starting with "on" or xmlns $data=Preg_replace(' # (<[^>]+? [\x00-\x20 "\ ']) (?: O N|XMLNS) [^>]*+>#iu ', ' $1> ', $data); Remove Javascript:and Vbscript:protocols $data=Preg_replace(' # ([a-z]*) [\x00-\x20]*=[\x00-\x20]* (['] []*] [\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s [\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2nojavascript ... ',$data); $data=preg_replace (' # ([a-z]*) [\x00-\x20]*= ([\ ']]*) [\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r [\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu ', ' $1=$2novbscript ... ', $data); $data=Preg_replace(' # [a-z]*] [\x00-\x20]*= ([\ ' "]*) [\x00-\x20]*-moz-binding[\x00-\x20]*: #u ', ' $1=$2nomozbinding ... ',$data); Only works in IE: <span style="Width:expression (Alert (' ping! ')");></span>$data=preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?expression[\x00-\x20]*\ ([^>]*+>#i ', ' $1> ', $data); $data=Preg_replace(' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?behaviour[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ',$data); $data=preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[ \x00-\x20]*:* [^>]*+>#iu ', ' $1> ', $data); Remove namespaced Elements (we do not need them) $data=Preg_replace(' #</*\w+:\w[^>]*+> #i ', ',$data); Do{//Remove really unwanted tags $old _data=$data; $data=Preg_replace(' #</*: applet|b (?: Ase|gsound|link) |embed|frame (?: Set)? | I (?: Frame|layer) |l (?: Ayer|ink) |meta|object|s (?: Cript|tyle) |title|xml) [^>]*+> #i ', ',$data); } while($old _data!==$data); //we are doing ... return $data;}
Method Three, PHP anti-injection and XSS attack Universal filtering
functionSafefilter (&$arr) { $ra=Array('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '/script/', '/javascript/', '/vbscript/', '/expression/', '/applet/', '/meta ' /', '/xml/', '/blink/', '/link/', '/style/', '/embed/', '/object/', '/frame/', '/layer/', '/title/', '/bgsound/', '/base/ ', '/onload/', '/onunload/', '/onchange/', '/onsubmit/', '/onreset/', '/onselect/', '/onblur/', '/onfocus/', '/onabort/ ', '/onkeydown/', '/onkeypress/', '/onkeyup/', '/onclick/', '/ondblclick/', '/onmousedown/', '/onmousemove/', '/ onmouseout/', '/onmouseover/', '/onmouseup/', '/onunload/'); if(Is_array($arr)) { foreach($arr as $key=$value) { if(!Is_array($value)) { if(!GET_MAGIC_QUOTES_GPC())//Do not use Addslashes () for MAGIC_QUOTES_GPC escaped characters to avoid double escaping. { $value=addslashes($value);//Enclose the single quotation mark ('), double quotation mark ("), backslash (\), and NUL (NULL character) with a backslash escape } $value=Preg_replace($ra,‘‘,$value);//Remove nonprinting characters, brute-filtering XSS suspicious string $arr[$key] =htmlentities(Strip_tags($value));//Remove HTML and PHP tags and convert to HTML entities } Else{safefilter ($arr[$key]); } } }}
Anti-XXS and SQL injection