1, delete HTML annotation;
2, delete script, link, object, embed, IFRAME, frame, frameset and have on the beginning, including Web page effects: [^;] or expression the label of the attribute;
3, delete the annotations in the CSS tutorial (prevent this to deceive delete expression expression, do not know what other methods can deceive delete expression);
4, delete expression expression;
Filter Dangerous HTML * *
The code is as follows |
Copy Code |
function fillter_html ($STR) { /* Filter Style Label * * Return Preg_replace_callback ( /* Filter Style label content * * '/(<s*style[^>]*>) (?:(?! <s*/s*styles*>).) *) (<s*/s*styles*>)?/I ', Create_function (' $str ', ' return $STR [1]. FILLTER_CSS ($str [2]). $STR [3]; '), Preg_replace ( Array /* Delete HTML comment * * '/<!--. *?-->/i ', /* Delete Tags: script, link, object, embed, IFRAME, frame, frameset * * '/<s* (Script|object|embed|link|i?frame (set)?) [^>]*> (.*?<s*/s*\1s*>)?/I ', /* Delete event, JavaScript protocol, CSS expression * * '/<[^>]+ (on[a-z]+s*=|javascript:[^; " \]|expressions* () [^>]*) +>?/i ', ), ', $str ) ); } /* Filter style Body */ Function fillter_css ($str) { /* Delete comments, JavaScript Association negotiation, expression */ return Preg_replace ('///* (?! */).) **/|/*|*/)/I ', '/expressions* ((. *?))? | Javascripts*:/i ',), ', $str); } |