Use PHP programming to prevent XSS cross-site scripting attacks

Many domestic forums have cross-site scripting (XSS) vulnerabilities. many such cases have occurred in foreign countries or even Google (or Google), but they were fixed in early December. (Editor's note: for cross-site scripting attacks, refer to "XSS cross-site scripting attack details"). Cross-site attack (very) is easy to (on) can be constructed, and very concealed, not easy to detect (usually steal information after "> <LINKhref =" http://www.php

Many domestic forums have cross-site scripting (XSS) vulnerabilities. many such cases have occurred in foreign countries or even Google (or Google), but they were fixed in early December. (Editor's note: for cross-site scripting attacks, refer to "XSS cross-site scripting attack details"). Cross-site attacks (very) can be easily constructed, and are very concealed and difficult to be viewed (usually jump back to the original page immediately after information is stolen ).

Here, we will not explain how to attack (or ask me), but mainly discuss how to prevent it. First, all cross-site scripting attacks (yes) are caused by the absence of strict () filtering of user () input. Therefore, we must enter our) the website and database may be intercepted in danger before. Htmlentities () can be used for illegal HTML code, including single double quotation marks ().

<? Php
$ Str = "A 'quote' is <B> bold </B> ";
// Outputs: A 'quote' isBold
Echo htmlentities ($ str );
// Outputs: A 'quote' isBold
Echo htmlentities ($ str, ENT_QUOTES );
?>

 

This will invalidate the invalid () script.

But (yes) note that htmlentities () is encoded as a ISO-8859-1 by default, and if your () illegal script is encoded as other, it may not be filtered out, at the same time, the browser can recognize and execute. To solve this problem, I need to test several sites first.

Here we provide a function to filter out invalid scripts:

Function RemoveXSS ($ val ){
// Remove all non-printable characters. CR (0a) and LF (0b) and TAB (9) are allowed
// This prevents some character re-spacing such as <javascript>
// Note that you have to handle splits
,
, And later since they * are * allowed in some inputs
$ Val = preg_replace ('/([x00-x08] [x0b-x0c] [x0e-x20])/', '', $ val );
// Straight replacements, the user shoshould never need these since they're normal characters
// This prevents like _ # X6Cert ('xss')>
$ Search = 'abcdefghijklmnopqrstuvwxy ';
$ Search. = 'abcdefghijklmnopqrstuvwxy ';
$ Search. = '2017! @ # $ % ^ &*()';
$ Search. = '~ '";:? +/= {} []-_ | '\';
For ($ I = 0; $ I <strlen ($ search); $ I ++ ){
//;? Matches the;, which is optional
// 0 {0, 7} matches any padded zeros, which are optional and go up to 8 chars
// @ Search for the hex values
$ Val = preg_replace ('/(& # [x | X] 0 {0, 8}'. dechex (ord ($ search [$ I]). ';?) /I ', $ search [$ I], $ val); // with;
// @ 0 {0, 7} matches '0' zero to seven times
$ Val = preg_replace ('/({0, 8}'. ord ($ search [$ I]). ';?) /', $ Search [$ I], $ val); // with;
}
// Now the only remaining whitespace attacks are,
, And
$ Ra1 = Array ('javascript ', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'Blink ', 'link ', 'style', 'script', 'Embed ', 'object', 'iframe', 'frameset', 'ilayer', 'lay', 'bgsound ', 'title', 'base ');
$ Ra2 = Array ('onabport', 'onactivate', 'onafterprint ', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate ', onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick ', oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag ', 'ondragend', 'ondragenter', 'ondragleave ', 'ondragover', 'ondragstart', 'ondrop', 'onerrorupdat', 'onfilterchang', 'onfinish ', 'oncore', 'onfocusin', 'onfocusout ', 'onhelp', 'onkeylow', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture ', onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend ', 'onmovestart', 'onpaste ', 'onpropertychang', 'onreadystatechang', 'onreset', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit ', 'onrowsdelete', 'onrowsinserted', 'onscroll ', 'onselect', 'onselectionchang', 'onselectstart', 'onstart', 'onstop', 'onsubmit ', 'onload ');
$ Ra = array_merge ($ ra1, $ ra2 );
$ Found = true; // keep replacing as long as the previous round replaced something
While ($ found = true ){
$ Val_before = $ val;
For ($ I = 0; $ I <sizeof ($ ra); $ I ++ ){
$ Pattern = '/';
For ($ j = 0; $ j <strlen ($ ra [$ I]); $ j ++ ){
If ($ j> 0 ){
$ Pattern. = '(';
$ Pattern. = '(& # [x | X] 0 {0, 8} ([9] [a] [B]);?)? ';
$ Pattern. = '| ({0, 8} ([9] [10] [13]);?)? ';
$ Pattern. = ')? ';
}
$ Pattern. = $ ra [$ I] [$ j];
}
$ Pattern. = '/I ';
$ Replacement = substr ($ ra [$ I], 0, 2 ). '<x> '. substr ($ ra [$ I], 2); // add in <> to nerf the tag
$ Val = preg_replace ($ pattern, $ replacement, $ val); // filter out the hex tags
If ($ val_before ==$ val ){
// No replacements were made, so exit the loop
$ Found = false;
}
}
}
}