The php xss cross-site attack solution is probably a function searched on the Internet, but to be honest, it really doesn't fully understand the meaning of this function. First, replace all special characters in hexadecimal notation, and then replace the passed strings with letters. The last step is not too understandable. Let's take a look. Several cross-site attack websites: http://chriscook.me/web-development/php-preventing-typical-xss-attacks/ http://ha.ckers.org/xss.html https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet [PHP] function RemoveXSS ($ val ){// http://www.asciitable.com/ For details, see ASCII code // remove all non-printable characters, CR (0a) line feed and LF (0b) Vertical TAB and TAB (9) horizontal tab exception // This prevents cross-site attacks like <java \ 0 script>. \ 0 in ASCII code is NULL. // note: // note that you have to handle splits with \ n, \ r, and \ t later since they * are * allowed in some inputs $ val = preg_replace ('/([\ x00-\ x08, \ x0b-\ x0c, \ x0e-\ x19])/', ", $ val); // straight replacements, the user shoshould never need these since they're normal characters // this prevents like <IM G src = @ avasert: alert ('xss')> // lists all printed characters. Search for all printed characters or bodies in $ val and replace them with letters. $ Search = 'abcdefghijklmnopqrstuvwxy'; $ search. = 'abcdefghijklmnopqrstuvwxy'; $ search. = '2017! @ # $ % ^ & * () '; $ Search. = '~ '";:? +/= {} []-_ | \ '; Www.2cto. comfor ($ I = 0; $ I <strlen ($ search); $ I ++) {$ val = preg_replace ('/(& # [xX] 0 {0, 8 }'. dechex (ord ($ search [$ I]). ';?) /I ', $ search [$ I], $ val); // with a; $ val = preg_replace ('/(& #0 {0, 8 }'. ord ($ search [$ I]). ';?) /', $ Search [$ I], $ val); // with a ;}$ ra1 = Array ('javascript', 'vbscript', 'expression ', 'applet ', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed ', 'object', 'iframe ', 'frameset', 'frameset', 'ilayer ', 'lay', 'bgsound', 'title', 'base'); $ ra2 = Array ('onabort ', 'onactivate', 'onafterprint ', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'weight', 'onbeforeeditfocal', 'onbeforepaste ', 'onforepasterprint ', onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange', onclick', oncontextmenu, oncontrolselect, oncopy ', 'oncut ', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave ', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdat', 'onfilterchang', 'onfinish ', 'onfocus', 'onfocusin', 'onfocusout ', 'onhelp', 'onkeylow', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture ', 'onmouselow', 'onmouseenter', 'onmouseleave ', onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange ', onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsinserted, onscroll ', 'onselect', 'onselectionchang', 'onselectstart', 'onstart', 'onstop', 'onsubmit ', 'onunload'); $ ra = array_merge ($ ra1, $ ra2); $ found = true; // keep replacing as long as the previous round replaced somethingwhile ($ found = true) {$ val_before = $ val; for ($ I = 0; $ I <sizeof ($ ra); $ I ++) {$ pattern = '/'; for ($ j = 0; $ j <strlen ($ ra [$ I]); $ j ++) {if ($ j> 0) {$ pattern. = '('; $ pattern. = '(& # [xX] 0 {0, 8} ([9ab]);)'; $ pattern. = '|'; $ pattern. = '| (& #0 {0, 8} ([9 | 10 | 13]);)'; $ pattern. = ') *';} $ pattern. = $ ra [$ I] [$ j];} $ pattern. = '/I'; $ replacement = substr ($ ra [$ I], 0, 2 ). '<x> '. substr ($ ra [$ I], 2); // add in <> to nerf the tag $ val = preg_replace ($ pattern, $ replacement, $ val ); // filter out the hex tagsif ($ val_before ==$ val) {// no replacements were made, so exit the loop $ found = false ;}} return $ val ;} [/PHP]