PHP to prevent XSS attacks, Ajax cross-domain attack methods

There are many ways to launch XSS attacks on a Web site, and just using some of the built-in filter functions of PHP is not going to work, even if you will Filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars , strip_tags These functions are used and do not necessarily guarantee absolute security.

Now that there are many PHP development frameworks that provide filtering for XSS attacks, here's a function to prevent XSS attacks and Ajax Cross-domain attacks, from a development framework that should be strong enough to use only built-in functions.

function Xss_clean ($data) {

Fix &entityn;

$data =str_replace (' & ', ' < ', ' > '), Array (' & ', ' < ', ' > '), $data);

$data =preg_replace ('/(&#*w+) [x00-x20]+;/u ', ' $; ', $data);

$data =preg_replace ('/(& #x *[0-9a-f]+); */iu ', ' $ ', $data);

$data =html_entity_decode ($data, Ent_compat, ' UTF-8 ');

Remove any attribute starting with ' on ' or xmlns

$data =preg_replace (' # (<[^>]+?[ x00-x20 "']) (?: O NXMLNS) [^>]*+> #iu ', ' $1> ', $data);

Remove Javascript:and Vbscript:protocols

$data =preg_replace (' # ([a-z]*) [x00-x20]*=[x00-x20]*] []*] [x00-x20]*j[x00-x20]*a[x00-x20]*v[x00-x20]*a[x00-x20 ]*s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*: #iu ', ' $1=$2nojavascript ... ', $data);

$data =preg_replace (' # ([a-z]*) [x00-x20]*=] []*] [x00-x20]*v[x00-x20]*b[x00-x20]*s[x00-x20]*c[x00-x20]*r[x00-x20 ]*i[x00-x20]*p[x00-x20]*t[x00-x20]*: #iu ', ' $1=$2novbscript ... ', $data);

$data =preg_replace (' # ([a-z]*) [X00-x20]*= ([' "]*) [x00-x20]*-moz-binding[x00-x20]*: #u ', ' $1=$2nomozbinding ... ', $ data);

Only works in IE:

$data =preg_replace (' # (<[^>]+?) Style[x00-x20]*=[x00-x20]*[' "]*.*?expression[x00-x20]* ([^>]*+> #i ', ' $1> ', $data);

$data =preg_replace (' # (<[^>]+?) Style[x00-x20]*=[x00-x20]*[' "]*.*?behaviour[x00-x20]* ([^>]*+> #i ', ' $1> ', $data);

$data =preg_replace (' # (<[^>]+?) style[x00-x20]*=[x00-x20]*[' "]*.*?s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:* [^>] *+> #iu ', ' $1> ', $data);

Remove namespaced Elements (we do not need them)

$data =preg_replace (' #]*+> #i ', ', $data);

http://www.Alixixi.com/

do{//Remove really unwanted tags

$old _data= $data;

$data =preg_replace (' #]*+> #i ', ', $data);

}while ($old _data!== $data);

We are done ...

return $data;

}