PHP prevention of XSS attacks, Ajax cross-domain attack method _php Tutorial

Source: Internet
Author: User
Tags smarty template
There are many ways to launch an XSS attack on your Web site, and just using some of the built-in filter functions of PHP is not a good deal, even if you will Filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars , strip_tags These functions are used or not guaranteed to be absolutely secure.

There are a lot of PHP development frameworks that provide filtering methods for anti-XSS attacks, and the following is a way to share a function that prevents XSS attacks and Ajax cross-domain attacks from a development framework, which should be stronger than just using built-in functions.

function Xss_clean ($data) {//Fix &entity\n; $data =str_replace (' & ', ' < ', ' > '), Array (' &amp; ', ' &lt; ' &gt; '), $data), $data =preg_replace ('/(&#*\w+) [\x00-\x20]+;/u ', ' $ $; ', $data); $data =preg_replace ('/(& #x *[0-9a-f]+); */iu ', ' $ $; ', $data); $data =html_entity_decode ($data, Ent_compat, ' UTF-8 ');//Remove any Attribute starting with "on" or Xmlns$data=preg_replace (' # (<[^>]+?[ \x00-\x20 "\"]) (?: O N|XMLNS) [^>]*+> #iu ', ' $1> ', $data);//Remove Javascript:and Vbscript:protocols$data=preg_replace (' # ([a-z]* ) [\x00-\x20]*=[\x00-\x20]* ([' \ ' "]*) [\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20 ]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2nojavascript ... ', $data); $data = Preg_replace (' # ([a-z]*) [\x00-\x20]*= ([\ ']]*) [\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[ \x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2novbscript ... ', $data); $data =preg_replace (' # (A-Z ]*) [\x00-\x20]*= ([\ ']]*) [\x00-\x20]*-moz-binding[\x00-\x20]*: #u ', ' $1=$2nomozbinding ... ', $data);//only works in IE:  $data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?expression[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_ Replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?behaviour[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_ Replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\ x00-\x20]*:* [^>]*+> #iu ', ' $1> ', $data);//Remove namespaced elements (we do not need them) $data =preg_replace (' #
 ]*+> #i ', ', $data);//http://www.phpernote.com/do{//Remove really unwanted tags$old_data= $data; $data =preg_ Replace (' #
 ]*+> #i ', ', $data);} while ($old _data!== $data);//We are Done...return $data;}

Articles you may be interested in

    • Generic PHP anti-injection vulnerability attack filtering function code
    • PHP Extract the birthday date from the ID number and the function to verify whether it is a minor
    • PHP Check browser parameters to prevent SQL injection of functions
    • Ways to prevent websites from being attacked
    • jquery+html+php implement Ajax no-refresh file upload
    • PHP Judging today is the first few weeks of the month
    • PHP Programmer's question--common basic questions (1)
    • Use PHP functions in Smarty Templates and how to use multiple functions for a variable in a smarty template

http://www.bkjia.com/PHPjc/764107.html www.bkjia.com true http://www.bkjia.com/PHPjc/764107.html techarticle There are many ways to launch an XSS attack on your Web site, and just using some of the built-in filter functions of PHP is not a good deal, even if you will filter_var,mysql_real_escape_string,htmlentities,htmlspec ...

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.