PHP prevention of XSS attacks, Ajax cross-domain attack method _php Tutorial

There are many ways to launch an XSS attack on your Web site, and just using some of the built-in filter functions of PHP is not a good deal, even if you will Filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars , strip_tags These functions are used or not guaranteed to be absolutely secure.

There are a lot of PHP development frameworks that provide filtering methods for anti-XSS attacks, and the following is a way to share a function that prevents XSS attacks and Ajax cross-domain attacks from a development framework, which should be stronger than just using built-in functions.

function Xss_clean ($data) {//Fix &entity\n; $data =str_replace (' & ', ' < ', ' > '), Array (' &amp; ', ' &lt; ' &gt; '), $data), $data =preg_replace ('/(&#*\w+) [\x00-\x20]+;/u ', ' $ $; ', $data); $data =preg_replace ('/(& #x *[0-9a-f]+); */iu ', ' $ $; ', $data); $data =html_entity_decode ($data, Ent_compat, ' UTF-8 ');//Remove any Attribute starting with "on" or Xmlns$data=preg_replace (' # (<[^>]+?[ \x00-\x20 "\"]) (?: O N|XMLNS) [^>]*+> #iu ', ' $1> ', $data);//Remove Javascript:and Vbscript:protocols$data=preg_replace (' # ([a-z]* ) [\x00-\x20]*=[\x00-\x20]* ([' \ ' "]*) [\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20 ]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2nojavascript ... ', $data); $data = Preg_replace (' # ([a-z]*) [\x00-\x20]*= ([\ ']]*) [\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[ \x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2novbscript ... ', $data); $data =preg_replace (' # (A-Z ]*) [\x00-\x20]*= ([\ ']]*) [\x00-\x20]*-moz-binding[\x00-\x20]*: #u ', ' $1=$2nomozbinding ... ', $data);//only works in IE:  $data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?expression[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_ Replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?behaviour[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_ Replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\ x00-\x20]*:* [^>]*+> #iu ', ' $1> ', $data);//Remove namespaced elements (we do not need them) $data =preg_replace (' #
 ]*+> #i ', ', $data);//http://www.phpernote.com/do{//Remove really unwanted tags$old_data= $data; $data =preg_ Replace (' #
 ]*+> #i ', ', $data);} while ($old _data!== $data);//We are Done...return $data;}

Articles you may be interested in

• Generic PHP anti-injection vulnerability attack filtering function code
• PHP Extract the birthday date from the ID number and the function to verify whether it is a minor
• PHP Check browser parameters to prevent SQL injection of functions
• Ways to prevent websites from being attacked
• jquery+html+php implement Ajax no-refresh file upload
• PHP Judging today is the first few weeks of the month
• PHP Programmer's question--common basic questions (1)
• Use PHP functions in Smarty Templates and how to use multiple functions for a variable in a smarty template

http://www.bkjia.com/PHPjc/764107.html www.bkjia.com true http://www.bkjia.com/PHPjc/764107.html techarticle There are many ways to launch an XSS attack on your Web site, and just using some of the built-in filter functions of PHP is not a good deal, even if you will filter_var,mysql_real_escape_string,htmlentities,htmlspec ...

