The following function can be used to filter the input of the user to ensure that the input is XSS-safe. Specifically how to filter, you can see inside the function, there are comments.
Copy CodeThe code is as follows:
function Removexss ($val) {
Remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) are allowed
This prevents some character re-spacing such as
Note that you had to handle splits with \ n, \ r, and \ t later since they *are* allowed in some inputs
$val = Preg_replace ('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', ' ', $val);
Straight replacements, the user should never need these since they ' re normal characters
This prevents like
$search = ' abcdefghijklmnopqrstuvwxyz ';
$search. = ' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';
$search. = ' 1234567890!@#$%^&* () ';
$search. = ' ~ ';:? +/={}[]-_|\ ' \ \ ';
for ($i = 0; $i < strlen ($search); $i + +) {
// ;? Matches the; which is optional
0{0,7} matches any padded zeros, which is optional and go up to 8 chars
@ search for the hex values
$val = Preg_replace ('/(&#[xx]0{0,8} '. Dechex (Ord ($search [$i])). /I ', $search [$i], $val); with A;
@ @ 0{0,7} matches ' 0 ' zero to seven times
$val = Preg_replace ('/({0,8} '. Ord ($search [$i]). ';? ' /', $search [$i], $val); with A;
}
Now the only remaining whitespace attacks is \ t, \ n, and \ r
$ra 1 = Array (' javascript ', ' VBScript ', ' expression ', ' applets ', ' meta ', ' xml ', ' blink ', ' link ', ' style ', ' script ', ' embed ', ' Object ', ' iframe ', ' frame ', ' frameset ', ' ilayer ', ' layer ', ' bgsound ', ' title ', ' base ';
$ra 2 = Array (' onabort ', ' onactivate ', ' onafterprint ', ' onafterupdate ', ' onbeforeactivate ', ' onbeforecopy ', ' Onbeforecut ', ' onbeforedeactivate ', ' onbeforeeditfocus ', ' onbeforepaste ', ' onbeforeprint ', ' onbeforeunload ', ' Onbeforeupdate ', ' onblur ', ' onbounce ', ' oncellchange ', ' onchange ', ' onclick ', ' oncontextmenu ', ' oncontrolselect ', ' Oncopy ', ' oncut ', ' ondataavailable ', ' ondatasetchanged ', ' ondatasetcomplete ', ' ondblclick ', ' ondeactivate ', ' Ondrag ', ' Ondragend ', ' ondragenter ', ' ondragleave ', ' ondragover ', ' ondragstart ', ' ondrop ', ' onerror ', ' onerrorupdate ', ' Onfilterchange ', ' onfinish ', ' onfocus ', ' onfocusin ', ' onfocusout ', ' onhelp ', ' onkeydown ', ' onkeypress ', ' onkeyup ', ' Onlayoutcomplete ', ' onload ', ' onlosecapture ', ' onmousedown ', ' onmouseenter ', ' onmouseleave ', ' onmousemove ', ' onMouseOut ', ' onmouseover ', ' onmouseup ', ' onmousewheel ', ' onmove ', ' onmoveend ', ' onmovestart ', ' onpaste ', ' Onpropertychange ', ' onreadystatechange ', ' onreset ', ' onresize ', ' onresizeend ', ' onresizestart ', ' onrowent 'Er ', ' onrowexit ', ' onrowsdelete ', ' onrowsinserted ', ' onscroll ', ' onselect ', ' onselectionchange ', ' onselectstart ', ' OnStart ', ' onstop ', ' onsubmit ', ' onunload ');
$ra = Array_merge ($ra 1, $ra 2);
$found = true; Keep replacing as long as the previous round replaced something
while ($found = = True) {
$val _before = $val;
for ($i = 0; $i < sizeof ($RA); $i + +) {
$pattern = '/';
for ($j = 0; $j < strlen ($ra [$i]); $j + +) {
if ($j > 0) {
$pattern. = ' (';
$pattern. = ' (&#[xx]0{0,8} ([9ab]);) ';
$pattern. = ' | ';
$pattern. = ' | ({0,8} ([9|10|13]);) ';
$pattern. = ') * ';
}
$pattern. = $ra [$i] [$j];
}
$pattern. = '/I ';
$replacement = substr ($ra [$i], 0, 2). ' '. substr ($ra [$i], 2);//Add in <> to nerf the tag
$val = Preg_replace ($pattern, $replacement, $val); Filter out the hex tags
if ($val _before = = $val) {
No replacements were made, so exit the loop
$found = false;
}
}
}
return $val;
}
?>
http://www.bkjia.com/PHPjc/825147.html www.bkjia.com true http://www.bkjia.com/PHPjc/825147.html techarticle The following function can be used to filter the input of the user to ensure that the input is XSS-safe. Specifically how to filter, you can see inside the function, there are comments. Copy the code code as follows:? PHP func ...