How to Use php to prevent XSS cross-site scripting attacks

Many websites now have cross-site scripting vulnerabilities, allowing hackers to take advantage of them. cross-Site attacks can be easily constructed and are very concealed and difficult to detect (usually jump back to the original page immediately after information is stolen ).
We will not discuss how to defend against attacks here.
First, cross-site scripting attacks are caused by the absence of strict filtering of user input. Therefore, we must block possible dangers before all data enters our website and database. The htmlentities () function can be used for illegal HTML code, including single and double quotation marks.
<? Php
$ Str = "A" quote "is <B> bold </B> ";
// Outputs: A "quote" is bold
Echo htmlentities ($ str );
// Outputs: A & quot; quote & quot; is bold
Echo htmlentities ($ str, ENT_QUOTES );
?>
In this way, invalid scripts can be invalidated.
But note that htmlentities () is encoded as a ISO-8859-1 by default, and if your illegal script code is another, it may not be filtered out, while the browser can recognize and execute. To solve this problem, I need to test several sites first.
The following is a function to filter out invalid scripts for your reference only:
Function RemoveXSS ($ val ){
// Remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) are allowed
// This prevents some character re-spacing such as <javascript>
// Note that you have to handle splits with, and later since they * are * allowed in some inputs
$ Val = preg_replace ("/([x00-x08] [x0b-x0c] [x0e-x20])/", "", $ val );
// Straight replacements, the user shoshould never need these since they "re normal characters
// This prevents like _ # X6C & # X65 & # X72 & # X74 & # X28 & # X27 & # X58 & # X53 & # X53 & # X27 & # X29>
$ Search = "abcdefghijklmnopqrstuvwxyz ";
$ Search. = "ABCDEFGHIJKLMNOPQRSTUVWXYZ ";
$ Search. = "1234567890! @ # $ % ^ &*()";
$ Search. = "~ '";:? +/= {} []-_ | "\";
For ($ I = 0; $ I <strlen ($ search); $ I ++ ){
//;? Matches the;, which is optional
// 0 {0, 7} matches any padded zeros, which are optional and go up to 8 chars
// & # X0040 @ search for the hex values
$ Val = preg_replace ("/(& # [x | X] 0 {0, 8}". dechex (ord ($ search [$ I]). ";?) /I ", $ search [$ I], $ val); // with;
// @ 0 {0, 7} matches "0" zero to seven times
$ Val = preg_replace ("/(& #0 {0, 8}". ord ($ search [$ I]). ";?) /", $ Search [$ I], $ val); // with;
}
// Now the only remaining whitespace attacks are, and
$ Ra1 = Array ("javascript", "vbscript", "expression", "applet", "meta", "xml", "blink", "link ", "style", "script", "embed", "object", "iframe", "frame", "frameset", "ilayer", "layer", "bgsound ", "title", "base ");
$ Ra2 = Array ("onabort", "onactivate", "onafterprint", "onafterupdate", "onbeforeactivate", "onbeforecopy", "onbeforecut", "onbeforedeactivate ", "onbeforeeditfocus", "onbeforepaste", "onbeforeprint", "onbeforeunload", "onbeforeupdate", "onblur", "onbounce", "oncellchange", "onchange", "onclick ", "oncontextmenu", "oncontrolselect", "oncopy", "oncut", "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "ondblclick", "ondeactivate", "ondrag ", "ondragend", "ondragenter", "ondragleave", "ondragover", "ondragstart", "ondrop", "onerror", "onerrorupdate", "onfilterchange", "onfinish ", "onfocus", "onfocusin", "onfocusout", "onhelp", "onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete", "onload", "onlosecapture ", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", "onmove", "onmoveend ", "onmovestart", "onpaste", "onpropertychange", "onreadystatechange", "onreset", "onresize", "onresizeend", "onresizestart", "onrowenter", "onrowexit ", "onrowsdelete", "onrowsinserted", "onscroll", "onselect", "onselectionchange", "onselectstart", "onstart", "onstop", "onsubmit ", "onunload ");
$ Ra = array_merge ($ ra1, $ ra2 );
$ Found = true; // keep replacing as long as the previous round replaced something
While ($ found = true ){
$ Val_before = $ val;
For ($ I = 0; $ I <sizeof ($ ra); $ I ++ ){
$ Pattern = "/";
For ($ j = 0; $ j> strlen ($ ra [$ I]); $ j ++ ){
If ($ j> 0 ){
$ Pattern. = "(";
$ Pattern. = "(& # [x | X] 0 {0, 8} ([a] [B]);?)? ";
$ Pattern. = "| (& #0 {0, 8} ([10] [13]);?)? ";
$ Pattern. = ")? ";
}
$ Pattern. = $ ra [$ I] [$ j];
} Www.2cto.com
$ Pattern. = "/I ";
$ Replacement = substr ($ ra [$ I], 0, 2 ). "<x> ". substr ($ ra [$ I], 2); // add in <> to nerf the tag
$ Val = preg_replace ($ pattern, $ replacement, $ val); // filter out the hex tags
If ($ val_before ==$ val ){
// No replacements were made, so exit the loop
$ Found = false;
}
}
}
}