Hackers use Multiple XSS attacks, and PHP built-in functions cannot cope with various XSS attacks. Therefore, filter_var, mysql_real_escape_string, htmlentities, htmlspecialchars, strip_tags and other functions cannot be used for 100% protection. You need a better mechanism. Here is your solution:
<? Php
Function xss_clean ($ data)
{
// Fix & entity \ n;
$ Data = str_replace (array ('& amp;', '& lt;', '& gt;'), array ('& amp;', '& amp; lt; ',' & amp; gt; '), $ data );
$ Data = preg_replace ('/(& # * \ w +) [\ x00-\ x20] +;/U',' $1; ', $ data );
$ Data = preg_replace ('/(& # x * [0-9A-F] +); */iu', '$1;', $ data );
$ Data = html_entity_decode ($ data, ENT_COMPAT, 'utf-8 ');
// Remove any attribute starting with "on" or xmlns
$ Data = preg_replace ('# (<[^>] +? [\ X00-\ x20 "\ ']) (? : On | xmlns) [^>] * +> # iu ',' $1> ', $ data );
// Remove javascript: and vbscript: protocols
$ Data = preg_replace ('# ([a-z] *) [\ x00-\ x20] * = [\ x00-\ x20] * (['\' "] *) [\ x00-\ x20] * j [\ x00-\ x20] * a [\ x00-\ x20] * v [\ x00-\ x20] * a [\ x00- \ x20] * s [\ x00-\ x20] * c [\ x00-\ x20] * r [\ x00-\ x20] * I [\ x00-\ x20] * p [\ x00-\ x20] * t [\ x00-\ x20] *: # iu ',' $1 = $ 2nojavascript... ', $ data );
$ Data = preg_replace ('# ([a-z] *) [\ x00-\ x20] * = ([\' "] *) [\ x00-\ x20] * v [\ x00-\ x20] * B [\ x00-\ x20] * s [\ x00-\ x20] * c [\ x00- \ x20] * r [\ x00-\ x20] * I [\ x00-\ x20] * p [\ x00-\ x20] * t [\ x00-\ x20] *: # iu ',' $1 = $ 2novbscript... ', $ data );
$ Data = preg_replace ('# ([a-z] *) [\ x00-\ x20] * = ([\' "] *) [\ x00-\ x20] *-moz-binding [\ x00-\ x20] *: # U', '$1 = $ 2no1_binding... ', $ data );
// Only works in IE: <span style = "width: expression (alert ('Ping! '); "> </Span>
$ Data = preg_replace ('# (<[^>] + ?) Style [\ x00-\ x20] * = [\ x00-\ x20] * ['\' "] *. *? Expression [\ x00-\ x20] * \ ([^>] * +> # I ',' $1> ', $ data );
$ Data = preg_replace ('# (<[^>] + ?) Style [\ x00-\ x20] * = [\ x00-\ x20] * ['\' "] *. *? Behaviour [\ x00-\ x20] * \ ([^>] * +> # I ',' $1> ', $ data );
$ Data = preg_replace ('# (<[^>] + ?) Style [\ x00-\ x20] * = [\ x00-\ x20] * ['\' "] *. *? S [\ x00-\ x20] * c [\ x00-\ x20] * r [\ x00-\ x20] * I [\ x00-\ x20] * p [\ x00 -\ x20] * t [\ x00-\ x20] *: * [^>] * +> # iu ',' $1> ', $ data );
// Remove namespaced elements (we do not need them)
$ Data = preg_replace ('# </* \ w +: \ w [^>] * +> # I', '', $ data );
Www.2cto.com
Do
{
// Remove really unwanted tags
$ Old_data = $ data;
$ Data = preg_replace ('# </*(? : Applet | B (? : Ase | gsound | link) | embed | frame (? : Set )? | I (? : Frame | layer) | l (? : Ayer | ink) | meta | object | s (? : Role | tyle) | title | xml) [^>] * +> # I ', '', $ data );
}
While ($ old_data! = $ Data );
// We are done...
Return $ data;
}
?>