Filters XSS functions and prevents svn version libraries from being browsed.

Php filter xss Functions
 
 
<? Php
/**
* @ Filter XSS (Cross-Site Scripting) Functions
* @ Par $ val string parameter, which may contain malicious script code such as <script language = "javascript"> alert ("hello world"); </script>
* @ Return: The processed string
* @ Recoded By Androidyue
**/
Function RemoveXSS ($ val ){
// Remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) are allowed
// This prevents some character re-spacing such as <java \ 0 script>
// Note that you have to handle splits with \ n, \ r, and \ t later since they * are * allowed in some inputs
$ Val = preg_replace ('/([\ x00-\ x08, \ x0b-\ x0c, \ x0e-\ x19])/', '', $ val );
 
// Straight replacements, the user shoshould never need these since they're normal characters
// This prevents like
$ Search = 'abcdefghijklmnopqrstuvwxy ';
$ Search. = 'abcdefghijklmnopqrstuvwxy ';
$ Search. = '2017! @ # $ % ^ &*()';
$ Search. = '~ '";:? +/= {} []-_ | \'\\';
For ($ I = 0; $ I <strlen ($ search); $ I ++ ){
//;? Matches the;, which is optional
// 0 {0, 7} matches any padded zeros, which are optional and go up to 8 chars
 
// @ Search for the hex values
$ Val = preg_replace ('/(& # [xX] 0 {0, 8}'. dechex (ord ($ search [$ I]). ';?) /I ', $ search [$ I], $ val); // with;
// @ 0 {0, 7} matches '0' zero to seven times
$ Val = preg_replace ('/(& #0 {0, 8}'. ord ($ search [$ I]). ';?) /', $ Search [$ I], $ val); // with;
}
 
// Now the only remaining whitespace attacks are \ t, \ n, and \ r
$ Ra1 = Array ('javascript ', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink ', 'link ', 'style', 'script', 'embed ', 'object', 'iframe', 'frameset', 'ilayer', 'lay', 'bgsound ', 'title', 'base ');
$ Ra2 = Array ('onabport', 'onactivate', 'onafterprint ', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate ', onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick ', oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag ', 'ondragend', 'ondragenter', 'ondragleave ', 'ondragover', 'ondragstart', 'ondrop', 'onerrorupdat', 'onfilterchang', 'onfinish ', 'oncore', 'onfocusin', 'onfocusout ', 'onhelp', 'onkeylow', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture ', onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend ', 'onmovestart', 'onpaste ', 'onpropertychang', 'onreadystatechang', 'onreset', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit ', 'onrowsdelete', 'onrowsinserted', 'onscroll ', 'onselect', 'onselectionchang', 'onselectstart', 'onstart', 'onstop', 'onsubmit ', 'onload ');
$ Ra = array_merge ($ ra1, $ ra2 );
 
$ Found = true; // keep replacing as long as the previous round replaced something
While ($ found = true ){
$ Val_before = $ val;
For ($ I = 0; $ I <sizeof ($ ra); $ I ++ ){
$ Pattern = '/';
For ($ j = 0; $ j <strlen ($ ra [$ I]); $ j ++ ){
If ($ j> 0 ){
$ Pattern. = '(';
$ Pattern. = '(& # [xX] 0 {0, 8} ([9ab]);)';
$ Pattern. = '| ';
$ Pattern. = '| (& #0 {0, 8} ([9 | 10 | 13]);)';
$ Pattern. = ')*';
}
$ Pattern. = $ ra [$ I] [$ j];
}
$ Pattern. = '/I ';
$ Replacement = substr ($ ra [$ I], 0, 2 ). '<x> '. substr ($ ra [$ I], 2); // add in <> to nerf the tag
$ Val = preg_replace ($ pattern, $ replacement, $ val); // filter out the hex tags
If ($ val_before ==$ val ){
// No replacements were made, so exit the loop
$ Found = false;
}
}
}
Return $ val;
}
// Test the effect of www.2cto.com
// Echo RemoveXSS ("<script language = 'javascript '> alert ('Hello World'); </script> ");
?>
 
Javascript filter xss
 
Javascript filtering xss is just a way to prevent the gentleman from defending against the villain. You can use either of the two methods. The first one is to escape the angle brackets and quotation marks, as shown in the following code:
 
Function (cont ){
Cont = cont. replace (// g ,'&');
Cont = cont. replace (/</g, '<'). replace (/>/g, '> ');
Cont = cont. replace (/\ '/g, '''). replace (/\ "/g ,'"');
Return cont;
};
The second method is to dynamically create a dom, and then use str as innerText, and then dynamically extract innerHTML to escape the content,
Note: Thanks to Jackmasa for pointing out the problem. In fact, there are still problems here. For details, see article: front-end security.
 
Apache prevents svn version libraries from being browsed
 
A few days ago, the hot svn version library was cracked, and I found a simple solution to apache svn version library browsing mode. nginx is also similar to disabled. svn browsing
 
Disable svn in apache
 
<Directory ~ ". Svn">
Order allow, deny
Deny from all
</Directory>
Nginx disable svn
 
Location ~ /. Svn /{
Deny all;
}