PHP XSS Security Filter Code

function Remove_xss ($val) {//Remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) is allowed//This prevents some character re-spacing such as <java\0script>//No   Te that you has to handle splits with \ n, \ r, and \ t later since they *are* allowed in some inputs//http://blog.qita.in     $val = Preg_replace ('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', ' ', $val);  Straight replacements, the user should never need these since they ' re normal characters//This prevents like  $search = ' abcdefghijklmnopqrstuvwxyz ';   $search. = ' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';   $search. = ' [email protected]#$%^&* () ';   $search. = ' ~ ';:? +/={}[]-_|\ ' \ \ '; for ($i = 0; $i < strlen ($search); $i + +) {//; matches the;, which is optional//0{0,7} matches any Padde D zeros, which is optional and go up to 8 chars//@ search for the hex values $val = Preg_replace ('/(& #[xx]0{0,8} '. Dechex (Ord ($search[$i])). ';? ' /I ', $search [$i], $val);      with A; @ @ 0{0,7} matches ' 0 ' zero to seven times $val = Preg_replace ('/(? { 0,8} '. Ord ($search [$i]). ';? ' /', $search [$i], $val);   with A; }//Now the only remaining whitespace attacks is \ t, \ n, and \ r $ra 1 = Array (' JavaScript ', ' VBScript ', ' expression ', ' applets ', ' meta ', ' xml ', ' blink ', ' link ', ' style ', ' script ', ' embed ', ' object ', ' iframe ', ' frame ', ' frameset ', ' Ilayer '   , ' layer ', ' bgsound ', ' title ', ' base '); $ra 2 = Array (' onabort ', ' onactivate ', ' onafterprint ', ' onafterupdate ', ' onbeforeactivate ', ' onbeforecopy ', ' Onbeforecut ', ' onbeforedeactivate ', ' onbeforeeditfocus ', ' onbeforepaste ', ' onbeforeprint ', ' onbeforeunload ', ' Onbeforeupdate ', ' onblur ', ' onbounce ', ' oncellchange ', ' onchange ', ' onclick ', ' oncontextmenu ', ' oncontrolselect ', ' Oncopy ', ' oncut ', ' ondataavailable ', ' ondatasetchanged ', ' ondatasetcomplete ', ' ondblclick ', ' ondeactivate ', ' Ondrag ', ' Ondragend ', ' ondragenter ', ' ondragleave ', ' ondragover ', ' OndragstaRT ', ' OnDrop ', ' onerror ', ' onerrorupdate ', ' onfilterchange ', ' onfinish ', ' onfocus ', ' onfocusin ', ' onfocusout ', ' onhelp ' , ' onkeydown ', ' onkeypress ', ' onkeyup ', ' onlayoutcomplete ', ' onload ', ' onlosecapture ', ' onmousedown ', ' onmouseenter ', ' OnMouseLeave ', ' onmousemove ', ' onmouseout ', ' onmouseover ', ' onmouseup ', ' onmousewheel ', ' onmove ', ' onmoveend ', ' Onmovestart ', ' onpaste ', ' onpropertychange ', ' onreadystatechange ', ' onreset ', ' onresize ', ' onresizeend ', ' Onresizestart ', ' onrowenter ', ' onrowexit ', ' onrowsdelete ', ' onrowsinserted ', ' onscroll ', ' onselect ', '   Onselectionchange ', ' onselectstart ', ' onstart ', ' onstop ', ' onsubmit ', ' onunload ');     $ra = Array_merge ($ra 1, $ra 2); $found = true;      Keep replacing as long as the previous round replaced something while ($found = = True) {$val _before = $val;         for ($i = 0; $i < sizeof ($RA); $i + +) {$pattern = '/';     for ($j = 0; $j < strlen ($ra [$i]); $j + +) {if ($j > 0) {$pattern. = ' (';          $pattern. = ' (&#[xx]0{0,8} ([9ab]);) ';               $pattern. = ' | '; $pattern. = ' | (? {0,8}               ([9|10|13]);) ';            $pattern. = ') * ';         } $pattern. = $ra [$i] [$j];         } $pattern. = '/I '; $replacement = substr ($ra [$i], 0, 2). ' <x> '. substr ($ra [$i], 2); Add in <> to nerf the tag $val = Preg_replace ($pattern, $replacement, $val);            Filter out the hex tags if ($val _before = = $val) {//No replacements were made, so exit the loop         $found = false; }}} return $val;}

PHP XSS Security Filter Code