Some ways to prevent XSS attacks in PHP

There are many ways to launch XSS attacks on a Web site, and just using some of the built-in filter functions of PHP is not going to work, even if you will Filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars , strip_tags These functions are used and do not necessarily guarantee absolute security.

So how to prevent XSS injection? The main still needs to be considered in the user data filtering, here is not a complete summary of a few Tips

1. Assume that all user input data is "evil"
2. Weakly typed scripting languages must be consistent in type and expectation
3. Thoughtful regular expressions
4. Functions such as strip_tags and htmlspecialchars are very useful
5. External Javascript is not necessarily reliable
6. Quote filter must focus attention
7. Remove unnecessary HTML annotations
8. Exploer Please let me go ...

method one , using PHP htmlentities function

Example

PHP prevents XSS cross-site scripting attacks by using the Htmlspecialchars () function for illegal HTML code including single double quotes.

When using the Htmlspecialchars () function, note that the second parameter, directly with Htmlspecialchars ($string), the second parameter is Ent_compat, the default is to convert double quotes ("), do not escape single quotes (') .

So, the Htmlspecialchars function should be added with the second parameter, which should be done in this way: Htmlspecialchars ($string, ent_quotes). Of course, if you need to not convert how the quotes, Use Htmlspecialchars ($string, ent_noquotes).

In addition, as little as possible with htmlentities, in all English htmlentities and htmlspecialchars no difference, can achieve the goal. In Chinese, however, Htmlentities transforms all the HTML code, Along with the inside of its unrecognized Chinese characters are also converted.

Htmlentities and Htmlspecialchars These two functions are #039 to the & #32;&; string support is bad and cannot be transformed. So a string converted with htmlentities and htmlspecialchars can only prevent XSS attacks and not prevent SQL injection attacks.

All printed statements, such as Echo,print, should be filtered using htmlentities () before printing, thus preventing XSS and htmlentities ($name, ent_noquotes,gb2312) to be written in Chinese.

method Two and nothing more said we give a function

Example

The code is as follows

Copy Code

function Xss_clean ($data) { Fix &entity\n; $data =str_replace (' &amp; ', ' &lt; ', ' &gt; '), Array (' &amp;amp; ', ' &amp;lt; ', ' &amp;gt; ') , $data); $data =preg_replace ('/(&#*\w+) [\x00-\x20]+;/u ', ' $; ', $data); $data =preg_replace ('/(& #x *[0-9a-f]+); */iu ', ' $ ', $data); $data =html_entity_decode ($data, Ent_compat, ' UTF-8 '); Remove any attribute starting with ' on ' or xmlns $data =preg_replace (' # (<[^>]+?[ \x00-\x20 "\") (?: O N|XMLNS) [^>]*+> #iu ', ' $1> ', $data); Remove Javascript:and Vbscript:protocols $data =preg_replace (' # ([a-z]*) [\x00-\x20]*=[\x00-\x20]*] [['] ']*] [\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[ \x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $ 1=$2nojavascript. ', $data); $data =preg_replace (' # ([a-z]*) [\x00-\x20]*= ([\]]*) [\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[ \x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*: #iu ', ' $1=$2novbscript ... ', $data); $data =preg_replace ([a-z]*) [\x00-\x20]*= ([\]]*) [\x00-\x20]*-moz-binding[\x00-\x20]*: #u ', ' $1=$2nomozbinding ... ', $data); Only works in IE: <span style= "width:expression (Alert (' ping! '));" ></span> $data =preg_replace (' # (<[^>]+?) Style[\x00-\x20]*=[\x00-\x20]*[']*.*?expression[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_replace (' # (<[^>]+?) Style[\x00-\x20]*=[\x00-\x20]*[']*.*?behaviour[\x00-\x20]*\ ([^>]*+> #i ', ' $1> ', $data); $data =preg_replace (' # (<[^>]+?) style[\x00-\x20]*=[\x00-\x20]*[' \ ' "]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[ \x00-\x20]*:* [^>]*+> #iu ', ' $1> ', $data); Remove namespaced Elements (we do not need them) $data =preg_replace (' #</*\w+:\w[^>]*+> #i ', ', $data); http://www.111cn.net/ do{//Remove really unwanted tags $old _data= $data; $data =preg_replace (' #</*: applet|b (?: Ase|gsound|link) |embed|frame (?: Set)? | I (?: Frame|layer) |l (?: Ayer|ink) |meta|object|s (?: Cript|tyle) |title|xml) [^>]*+> #i ', ', $data); }while ($old _data!== $data); We are done ... return $data; }