Many websites now have cross-site scripting vulnerabilities, allowing hackers to take advantage of them. cross-site attacks can be easily constructed and are very concealed and difficult to detect (usually jump back to the original page immediately after information is stolen ). We will not discuss how to defend against attacks here. There are many ways to launch XSS attacks on websites. some built-in filter functions in php alone cannot be used. even if you use filter_var, mysql_real_escape_string, htmlentities, and htmlspecialchars, strip_tags functions are used and cannot guarantee absolute security.
So how to prevent XSS injection? We still need to make a thorough consideration of user data filtering. here we do not fully summarize the following Tips:
1. assume that all user input data is "evil ".
2. the weak scripting language must ensure that the types are consistent with the expected ones.
3. well-considered regular expressions
4. functions such as strip_tags and htmlspecialchars are very useful.
5. external Javascript is not necessarily reliable.
6. special attention must be paid to quotation mark filtering.
7. remove unnecessary HTML comments
8. Exploer, please let me go ......
Method 1: Use the php htmlentities function
Example
Php protects against XSS attacks by using the htmlspecialchars () function.
When using the htmlspecialchars () function, pay attention to the second parameter. if htmlspecialchars ($ string) is used directly, the second parameter defaults to ENT_COMPAT. by default, the function only converts double quotation marks ("). do not escape single quotes.
Therefore, the second parameter must be added to the htmlspecialchars function. you should use htmlspecialchars ($ string, ENT_QUOTES ). of course, if you do not need to convert the quotation marks, use htmlspecialchars ($ string, ENT_NOQUOTES ).
In addition, htmlentities should be used as few as possible. htmlentities and htmlspecialchars are no different in all English, so they can all be achieved. however, in Chinese, htmlentities will convert all html code, along with the unidentifiable Chinese characters in it.
The htmlentities and htmlspecialchars functions have poor support for strings like 'and cannot be converted. Therefore, strings converted using htmlentities and htmlspecialchars can only prevent XSS attacks and SQL injection attacks.
All printed statements, such as echo and print, must be filtered using htmlentities () before printing. This prevents Xss. Note that htmlentities ($ name, ENT_NOQUOTES, GB2312) must be written in Chinese ).
Method 2: Let's say nothing about a function.
Example
function xss_clean($data){ // Fix &entity\n; $data=str_replace(array('&','<','>'),array('&','<','>'),$data); $data=preg_replace('/(&#*\w+)[\x00-\x20]+;/u','$1;',$data); $data=preg_replace('/(&#x*[0-9A-F]+);*/iu','$1;',$data); $data=html_entity_decode($data,ENT_COMPAT,'UTF-8'); // Remove any attribute starting with "on" or xmlns $data=preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu','$1>',$data); // Remove javascript: and vbscript: protocols $data=preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu','$1=$2nojavascript...',$data); $data=preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu','$1=$2novbscript...',$data); $data=preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u','$1=$2nomozbinding...',$data); // Only works in IE: $data=preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i','$1>',$data); $data=preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i','$1>',$data); $data=preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu','$1>',$data); // Remove namespaced elements (we do not need them) $data=preg_replace('#
]*+>#i','',$data); do{// Remove really unwanted tags $old_data=$data; $data=preg_replace('#
]*+>#i','',$data); }while($old_data!==$data); // we are done... return $data;}
Method 3:
<? Php // php common filtering for Injection Prevention and XSS attacks. // by qq: 831937 $ _ GET & SafeFilter ($ _ GET); $ _ POST & SafeFilter ($ _ POST ); $ _ COOKIE & SafeFilter ($ _ COOKIE); function SafeFilter (& $ arr) {$ ra = Array ('/([\ x00-\ x08, \ x0b-\ x0c, \ x0e-\ x19])/','/script/','/javascript/','/vbscript/','/expression /', '/applet/', '/meta/', '/xml/', '/blink/', '/link/', '/style /', '/embed/', '/object/', '/frame/', '/layer/', '/title/', '/bgsound /', '/base/', '/onload /','/ Onunload/','/onchange/','/onsubmit/','/onreset/','/onselect/','/onblur/','/onfocus /', '/onabort/', '/onkeydown/', '/onkeypress/', '/onkeyup/', '/onclick/', '/ondblclick /', '/onmousedown/', '/onmousemove/', '/onmouseout/', '/onmouseover/', '/onmouseup/', '/onunload /'); if (is_array ($ arr) {foreach ($ arr as $ key => $ value) {if (! Is_array ($ value) {if (! Get_magic_quotes_gpc () // do not use addslashes () for characters escaped by magic_quotes_gpc to avoid double escaping. {$ Value = addslashes ($ value); // single quotation marks ('), double quotation marks ("), backslash (), and NUL (NULL character) add backslash escape} $ value = preg_replace ($ ra, '', $ value); // delete non-printable characters, roughly filter xss suspicious strings $ arr [$ key] = htmlentities (strip_tags ($ value )); // remove HTML and PHP tags and convert them to HTML entities} else {SafeFilter ($ arr [$ key]) ;}}}?>