Home > Developer > PHP

PHP to prevent XSS attacks, Ajax cross-domain attack methods

Source: Internet
Author: User
Tags filter expression file upload functions domain
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

There are many ways to launch XSS attacks on a Web site, and just using some of the built-in filter functions of PHP is not going to work, even if you will Filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars , strip_tags These functions are used and do not necessarily guarantee absolute security.

Now that there are many PHP development frameworks that provide filtering for XSS attacks, here's a function to prevent XSS attacks and Ajax Cross-domain attacks, from a development framework that should be strong enough to use only built-in functions.

function Xss_clean ($data) {//Fix &entity\n;
	$data =str_replace (' & ', ' < ', ' > '), Array (' & ', ' < ', ' > '), $data);
	$data =preg_replace ('/(&#*\w+) [\x00-\x20]+;/u ', ' $; ', $data);
	$data =preg_replace ('/(& #x *[0-9a-f]+); */iu ', ' $ ', $data);
	$data =html_entity_decode ($data, Ent_compat, ' UTF-8 '); Remove any attribute starting with "on" or xmlns $data =preg_replace (' # <[^>]+?[ \x00-\x20 "\") (?: O
	NXMLNS) [^>]*+> #iu ', ' $1> ', $data); Remove Javascript:and vbscript:protocols $data =preg_replace (' # (a-z]*) [\x00-\x20]*=[\x00-\x20]* ([' \ ']*)] [\x00-\ X20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p
	[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2nojavascript ... ', $data); $data =preg_replace (' # ([a-z]*) [\x00-\x20]*= ([\]]*) [\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\
	x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2novbscript ... ', $data); $data =preg_replace (' # (a-z]*) [\x00-\x20]*= ([\ ' "]*) [\x00-\x20]*-moz-binding[\x00-\x20]*: #u ', ' $1=$2nomozbinding ... ', $data); Only works in IE: <span style= "width:expression (Alert (' ping! '));" ></span> $data =preg_replace (' # (<[^>]+?)
	Style[\x00-\x20]*=[\x00-\x20]*[']*.*?expression[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_replace (' # (<[^>]+?)
	Style[\x00-\x20]*=[\x00-\x20]*[']*.*?behaviour[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\
	x00-\x20]*:* [^>]*+> #iu ', ' $1> ', $data);
	Remove namespaced elements (we don't need them) $data =preg_replace (' #</*\w+:\w[^>]*+> #i ', ', $data);
		http://www.alixixi.com/do{//Remove really unwanted tags $old _data= $data; $data =preg_replace (' #</*: Appletb (?: Asegsoundlink) Embedframe (?: Set)? I (?: Framelayer) L (?: Ayerink) metaobjects
	(?: Cripttyle) titlexml) [^>]*+> #i ', ', $data); }while ($old _data!== $data);
We are done ... return $data; }

Articles that you may be interested in

    • Generic PHP anti-injection Vulnerability attack Filter function code
    • PHP Check browser parameters to prevent SQL injected functions
    • PHP extracts the birthday date in the ID number and the function to verify that it is a minor
    • jquery+html+php implementation Ajax No refresh file upload
    • Ways to prevent sites from being attacked
    • Use PHP functions in Smarty Templates and how to use multiple functions for a variable in smarty templates
    • PHP output Yesterday, today, tomorrow is the day of the week method
    • Powerful PHP Image processing class (watermark, transparency, zoom, sharpen, rotate, flip, cut, invert color)


This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
how to prevent xss attacks in javascript cross site scripting xss attacks php prevent xss how to prevent xss attack php function addslashes designed to prevent xss attack example php how to prevent ransomware attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More