classSecurity { Public Static functionGetxsssafeparams ($params) {if(Is_array($params)) {foreach($params as $param) {$param= Self::getxsssafeparam ($param); }}Else{$params= Self::getxsssafeparam ($params); }return $params; } Public Static functionGetxsssafeparam ($param){ $param= SELF::REMOVEXSS ($param); return $param; }/** * @param string $val//If it is an array, it can traverse, recursively traverse*/Private Static functionREMOVEXSS ($val) { //Remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) is allowed//This prevents some character re-spacing such as <java\0script>// Note that you had to handle splits with \ n, \ r, and \ t later since they *are* allowed in some inputs $val=Preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', ',$val); $val=addslashes($val);//prevent Unicode Cross-site scripting attacks//straight replacements, the user should never need these since they ' re normal characters This prevents like $search= ' ABCDEFGHIJKLMNOPQRSTUVWXYZ '; $search. = ' ABCDEFGHIJKLMNOPQRSTUVWXYZ '; $search. = ' [email protected]#$%^&* () '; $search. = ' ~ ';:? +/={}[]-_|\ ' \ \ '; for($i= 0;$i<strlen($search);$i++) { //;? matches the;, which is optional//0{0,7} matches any padded zeros, which be optional and go up to 8 chars & #x0040 @ search for the hex values $val=Preg_replace('/(&#[x| x]0{0,8} '.Dechex(Ord($search[$i])).‘;?) /I ',$search[$i],$val);//With A; @ 0{0,7} matches ' 0 ' zero to seven times $val=Preg_replace('/(& #0 {0,8} '.Ord($search[$i]).‘;?) /‘,$search[$i],$val);//With A; } //Now the only remaining whitespace attacks is \ t, \ n, and \ r $ra 1=Array(' Alert ', ' JavaScript ', ' VBScript ', ' expression ', ' applets ', ' meta ', ' xml ', ' blink ', ' link ', ' style ', ' script ', ' embed ', ' o ' Bject ', ' iframe ', ' frame ', ' frameset ', ' ilayer ', ' layer ', ' bgsound ', ' title ', ' base '); $ra 2=Array(' Onabort ', ' onactivate ', ' onafterprint ', ' onafterupdate ', ' onbeforeactivate ', ' onbeforecopy ', ' onbeforecut ', ' Onbeforedeactivate ', ' onbeforeeditfocus ', ' onbeforepaste ', ' onbeforeprint ', ' onbeforeunload ', ' onbeforeupdate ', ' Onblur ', ' onbounce ', ' oncellchange ', ' onchange ', ' onclick ', ' oncontextmenu ', ' oncontrolselect ', ' oncopy ', ' oncut ', ' OnDataAvailable ', ' ondatasetchanged ', ' ondatasetcomplete ', ' ondblclick ', ' ondeactivate ', ' Ondrag ', ' ondragend ', ' OnDragEnter ', ' ondragleave ', ' ondragover ', ' ondragstart ', ' ondrop ', ' onerror ', ' onerrorupdate ', ' onfilterchange ', ' OnFinish ', ' onfocus ', ' onfocusin ', ' onfocusout ', ' onhelp ', ' onkeydown ', ' onkeypress ', ' onkeyup ', ' onlayoutcomplete ', ' OnLoad ', ' onlosecapture ', ' onmousedown ', ' onmouseenter ', ' onmouseleave ', ' onmousemove ', ' onmouseout ', ' onmouseover ', ' OnMouseUp ', ' onmousewheel ', ' onmove ', ' onmoveend ', ' onmovestart ', ' onpaste ', ' onpropertychange ', ' onreadystatechange ' , ' onreset ', ' onresize ', ' onresizeend ', ' onresizestart ', ' onrowenter ', ' OnrowexIt ', ' onrowsdelete ', ' onrowsinserted ', ' onscroll ', ' onselect ', ' onselectionchange ', ' onselectstart ', ' onstart ', ' OnStop ', ' onsubmit ', ' onunload ', ' confirm ', ' eval ', ' document '); $ra=Array_merge($ra 1,$ra 2); $found=true;//keep replacing as long as the previous round replaced something while($found==true) { $val _before=$val; for($i= 0;$i<sizeof($ra);$i++) { $pattern= '/'; for($j= 0;$j<strlen($ra[$i]);$j++) { if($j> 0) { $pattern. = ' ('; $pattern. = ' (&#[x| x]0{0,8} ([9][a][b]);?)?; $pattern. = ' | (& #0 {0,8} ([9][10][13]);?)? '; $pattern. = ')? '; } $pattern.=$ra[$i][$j]; } $pattern. = '/I '; $replacement=substr($ra[$i], 0, 2). ' <x> '.substr($ra[$i], 2);//add in <> to nerf the tag $val=Preg_replace($pattern,$replacement,$val);//filter out the hex tags if($val _before==$val) { //no replacements were made, so exit the loop $found=false; } } } return $val; }}
PHP processing prevents XSS attack classes