Intrusion-PHP's ultimate solution to prevent XSS injection "information security" "Hack"

Update20151202:
Thank you for your attention and answer, at present I learned from various ways of defense methods, organized as follows:

1. PHP直接输出html的，可以采用以下的方法进行过滤：

   1.htmlspecialchars函数2.htmlentities函数3.HTMLPurifier.auto.php插件4.RemoveXss函数（百度可以查到）

2. PHP输出到JS代码中，或者开发Json API的，则需要前端在JS中进行过滤：

   1.尽量使用innerText(IE)和textContent(Firefox),也就是jQuery的text()来输出文本内容2.必须要用innerHTML等等函数，则需要做类似php的htmlspecialchars的过滤（参照@eechen的答案）

3. 其它的通用的补充性防御手段

   1.在输出html时，加上Content Security Policy的Http Header（作用：可以防止页面被XSS攻击时，嵌入第三方的脚本文件等）（缺陷：IE或低版本的浏览器可能不支持）2.在设置Cookie时，加上HttpOnly参数（作用：可以防止页面被XSS攻击时，Cookie信息被盗取，可兼容至IE6）（缺陷：网站本身的JS代码也无法操作Cookie，而且作用有限，只能保证Cookie的安全）3.在开发API时，检验请求的Referer参数（作用：可以在一定程度上防止CSRF攻击）（缺陷：IE或低版本的浏览器中，Referer参数可以被伪造）

This is probably all, we have any other ideas, welcome to add!

——————————————————————————————————————————————————

The original problem is as follows:

How is 1.PHP perfect (or as perfect as possible) to defend against XSS attacks (more perfect than htmlspecialchars)?
2. I was thinking is not the best defense XSS in the front-end (after all, JS in the front-end parsing string has a hole AH)?
3. What are the solutions or ideas for wood?

The problem of XSS defense has been studied recently.

After all, such as user-registered API, may be exploited by hacker, forcibly submitted "" Such user name.

And then the Web front end all have to display the user name place ...
So... Boom ...

Straight into focus:
I see a lot of defense against XSS is PHP's htmlentities function or Htmlspecialchars.
At random Baidu, seemingly thinkphp3.x default is to use the htmlspecialchars.
For example: $str = Htmlspecialchars ($str, ent_quotes);//Replace <>& ' "This 5 characters
But is it enough to replace that few words really?

Then I found this article:
http://tieba.baidu.com/p/3003719171
Using \u003c\u003e in the JS string will be interpreted as an <> feature for XSS attacks ...
Lying trough ...

Then I thought of JS in the eval and so on function is simply bottomless pit ...
Then I found this article:
Http://www.2cto.com/Article/201310/251830.html
Using various codes, various means to execute JS, simply insane.
Like what:

Ah! CAO.
I started to wonder about the whole world ...
So
My question is:

How is 1.PHP perfect (or as perfect as possible) to defend against XSS attacks (more perfect than htmlspecialchars)?
2. I was thinking is not the best defense XSS in the front-end (after all, JS in the front-end parsing string has a hole AH)?
3. What are the solutions or ideas for wood?

Update20151201:
Can not copy and paste the answer, or superstition Htmlspecialchars is invincible, okay?
\u003cimg src=1 Onerror=alert (/xss/) \u003e any of the characters will not be processed by Htmlspecialchars.
Look at the picture yourself, yes, it's you!

Reply content:

Update20151202:
Thank you for your attention and answer, at present I learned from various ways of defense methods, organized as follows:

1. PHP直接输出html的，可以采用以下的方法进行过滤：

   1.htmlspecialchars函数2.htmlentities函数3.HTMLPurifier.auto.php插件4.RemoveXss函数（百度可以查到）

2. PHP输出到JS代码中，或者开发Json API的，则需要前端在JS中进行过滤：

   1.尽量使用innerText(IE)和textContent(Firefox),也就是jQuery的text()来输出文本内容2.必须要用innerHTML等等函数，则需要做类似php的htmlspecialchars的过滤（参照@eechen的答案）

3. 其它的通用的补充性防御手段

   1.在输出html时，加上Content Security Policy的Http Header（作用：可以防止页面被XSS攻击时，嵌入第三方的脚本文件等）（缺陷：IE或低版本的浏览器可能不支持）2.在设置Cookie时，加上HttpOnly参数（作用：可以防止页面被XSS攻击时，Cookie信息被盗取，可兼容至IE6）（缺陷：网站本身的JS代码也无法操作Cookie，而且作用有限，只能保证Cookie的安全）3.在开发API时，检验请求的Referer参数（作用：可以在一定程度上防止CSRF攻击）（缺陷：IE或低版本的浏览器中，Referer参数可以被伪造）

This is probably all, we have any other ideas, welcome to add!

——————————————————————————————————————————————————

The original problem is as follows:

How is 1.PHP perfect (or as perfect as possible) to defend against XSS attacks (more perfect than htmlspecialchars)?
2. I was thinking is not the best defense XSS in the front-end (after all, JS in the front-end parsing string has a hole AH)?
3. What are the solutions or ideas for wood?

The problem of XSS defense has been studied recently.

After all, such as user-registered API, may be exploited by hacker, forcibly submitted "" Such user name.

And then the Web front end all have to display the user name place ...
So... Boom ...

Straight into focus:
I see a lot of defense against XSS is PHP's htmlentities function or Htmlspecialchars.
At random Baidu, seemingly thinkphp3.x default is to use the htmlspecialchars.
For example: $str = Htmlspecialchars ($str, ent_quotes);//Replace <>& ' "This 5 characters
But is it enough to replace that few words really?

Then I found this article:
http://tieba.baidu.com/p/3003719171
Using \u003c\u003e in the JS string will be interpreted as an <> feature for XSS attacks ...
Lying trough ...

Then I thought of JS in the eval and so on function is simply bottomless pit ...
Then I found this article:
Http://www.2cto.com/Article/201310/251830.html
Using various codes, various means to execute JS, simply insane.
Like what:

Ah! CAO.
I started to wonder about the whole world ...
So
My question is:

How is 1.PHP perfect (or as perfect as possible) to defend against XSS attacks (more perfect than htmlspecialchars)?
2. I was thinking is not the best defense XSS in the front-end (after all, JS in the front-end parsing string has a hole AH)?
3. What are the solutions or ideas for wood?

Update20151201:
Can not copy and paste the answer, or superstition Htmlspecialchars is invincible, okay?
\u003cimg src=1 Onerror=alert (/xss/) \u003e any of the characters will not be processed by Htmlspecialchars.
Look at the picture yourself, yes, it's you!

This question we still first to ask the brick home ...

Now connect us to the brick house outside the field immediately.

Beep beep ...

Brick home Hello, ask this classmate's question you how to think?

Brick House: I am lying on the window to see ...

... @#%&*!~~ (@$% ...).

Well, the original brick house is said that the haze is serious recently, so he can only lie on the window to see the problem ...

Now, listen to the experts:

The devil is also in the proper.

There is a special study of these things, anything that only the professional areas of the people to do will be more efficient.

Use HTMLPurifier is the ultimate ideal.

1. http://www.xcoder.cn/index.php/archives/971

2. http://willko.iteye.com/blog/475493

3. Http://www.piaoyi.org/php/HTML-Purifier-PHP-xss.html

4. Http://www.edu.cn/ji_shu_ju_le_bu_1640/20080717/t20080717_310285.shtml

5. Http://www.111cn.net/phper/phpanqn/78018.htm

6. Http://security.ctocio.com.cn/securitycomment/54/8222554.shtml

In fact, I also want to say, I do not want to prevent XSS this thing to the front-end, template language to do, for the front end, give her what to use, with the discomfort of their own appropriate to do variable adjustment on it. Give them to use, let them use of the cool, with simple, this is our good man's responsibility and duty, everyone said right ah, hehe.

First of all, I want to say, don't use your ignorance to challenge everyone.

This is however persuasive outsmart.

Encoding in HTML:

< 进行编码html十进制: <  html十六进制:<url: %3C  base64: PA==

Encoding in javascript:

<  进行编码八进制:\74  十六进制:\x3c unicode:\u003c

Of course, htmlspecialchars must be no, can only be handled simply, or else discuss what XSS

The translations performed are:'&' (ampersand) becomes '&''"' (double quote) becomes '"' when ENT_NOQUOTES is not set."'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.'<' (less than) becomes '<''>' (greater than) becomes '>'

The above code can also be written like this

testtesttestclick test

But the point is, are you sure that your code can be submitted? You have to make sure, and then come up and say

For example, the simplest href adds the following code to basically break the dish.

Have you ever tested, say that the scenes you mentioned can bypass Htmlspecialchars Ah, practice the truth.

补充:
你说的对,毕竟很多时候要把AJAX加载的数据用innerHTML添加到页面.
值得注意的是,innerHTML本质也是输出HTML,
所以我们可以在输出前用JS像PHP的htmlspecialchars那样
把特殊字符(&,",',<,>)替换为HTML实体(&"'<>).
或者干脆直接用innerText(IE)和textContent(Firefox),也就是jQuery的text()来输出文本内容.
StackOverflow上找的两个实现:

function escapeHtml(text) { return text .replace(/&/g, "&") .replace(//g, ">") .replace(/"/g, """) .replace(/'/g, "'");}function escapeHtml(text) { var map = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' }; return text.replace(/[&<>"']/g, function(m) { return map[m]; });}

Method one, using PHP htmlentities function

PHP prevents XSS Cross-site scripting attacks by using the Htmlspecialchars () function for illegal HTML code including single and double quotes.

When using the Htmlspecialchars () function, note the second argument, directly with the Htmlspecialchars ($string), the second parameter is Ent_compat, the function defaults to only the conversion of double quotation marks ("), do not escape the single quotation mark (').

So, the Htmlspecialchars function has more time to add the second parameter, which should be used: Htmlspecialchars ($string, ent_quotes). Of course, if you need not convert how the quotation marks, With Htmlspecialchars ($string, ent_noquotes).

In addition, as far as possible to use Htmlentities, in all English time htmlentities and htmlspecialchars no difference, can achieve the goal. However, in Chinese, htmlentities translates all HTML code, Along with its unrecognized Chinese characters are also converted.

Htmlentities and Htmlspecialchars These two functions of the "string support is not good, can not be converted, so with htmlentities and Htmlspecialchars converted strings can only prevent XSS attacks, Cannot prevent SQL injection attacks.

All printed statements, such as Echo,print, should be filtered using htmlentities () before printing, which prevents XSS, note that the Chinese will write Htmlentities ($name, ent_noquotes,gb2312).

Method Two, give a function

function Xss_clean ($data) {//Fix &entity\n; $data =str_replace (' & ', ' < ', ' > '), Array (' &amp; ', ' &lt; ', ' &gt; '), $data); $data =preg_replace ('/(&#*\w+) [\x00-\x20]+;/u ', ' $ $; ', $data); $data =preg_replace ('/(& #x *[0-9a-f]+); */iu ', ' $ $; ', $data); $data =html_entity_decode ($data, Ent_compat, ' UTF-8 '); Remove any attribute starting with "on" or xmlns $data =preg_replace (' # (<[^>]+?[ \x00-\x20 "\"]) (?: O N|XMLNS) [^>]*+> #iu ', ' $1> ', $data); Remove Javascript:and vbscript:protocols $data =preg_replace (' # ([a-z]*) [\x00-\x20]*=[\x00-\x20]* (['] ' "]*) [ \x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[ \x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2nojavascript ... ', $data); $data =preg_replace (' # ([a-z]*) [\x00-\x20]*= ([\ ']]*) [\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[ \x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2novbscript ... ', $data); $data =preg_replace (' # ([a-z]*) [\x00-\x20]*= ([\ ' "]*) [\x00-\x20]*-moz-binding[\x00-\x20]*: #u ', ' $1=$2nomozbinding ... ', $data);  Only works in IE:$data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?expression[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?behaviour[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[ \x00-\x20]*:* [^>]*+> #iu ', ' $1> ', $data); Remove namespaced Elements (we do not need them) $data =preg_replace (' #
   ]*+> #i ', ', $data);  http://www.111cn.net/do{//Remove really unwanted tags $old _data= $data; $data =preg_replace (' #
   ]*+> #i ', ', $data); }while ($old _data!== $data); We are done ... return $data;}

To "perfect" the defense of XSS, each development should fully understand the knowledge of XSS, in the appropriate scenario with the appropriate program to encode

Recommended reference:
Https://www.owasp.org/index.php/XSS_ (cross_site_scripting) _prevention_cheat_sheet

Any effort to solve this problem with a function/a library is a daydream.

To re-affix one side:
Https://www.owasp.org/index.php/XSS_ (cross_site_scripting) _prevention_cheat_sheet

Can never perfect defense, but at least to block 99% (the remaining 1% is the most ferocious ~ ~ ~), the current unified approach is to do input inspection, good programming awareness, safe escape, with the help of third-party security library. Do not trust input. And do not trust the output.

Why not use CSP direct solve everything?

