php实现XSS安全过滤的方法
本文实例讲述了php实现XSS安全过滤的方法。分享给大家供大家参考。具体如下:
functionremove_xss($val){ //removeallnon-printablecharacters.CR(0a)andLF(0b)andTAB(9)areallowed //thispreventssomecharacterre-spacingsuchas<java\0script> //notethatyouhavetohandlesplitswith\n,\r,and\tlatersincethey*are*allowedinsomeinputs $val=preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','',$val); //straightreplacements,theusershouldneverneedthesesincethey'renormalcharacters //thispreventslike<IMGSRC=@avascript:alert('XSS')> $search='abcdefghijklmnopqrstuvwxyz'; $search.='ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search.='1234567890!@#$%^&*()'; $search.='~`";:?+/={}[]-_|\'\\'; for($i=0;$i<strlen($search);$i++){ //;?matchesthe;,whichisoptional //0{0,7}matchesanypaddedzeros,whichareoptionalandgoupto8chars //@@searchforthehexvalues $val=preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i',$search[$i],$val);//witha; //@@0{0,7}matches'0'zerotoseventimes $val=preg_replace('/(�{0,8}'.ord($search[$i]).';?)/',$search[$i],$val);//witha; } //nowtheonlyremainingwhitespaceattacksare\t,\n,and\r $ra1=array('javascript','vbscript','expression','applet','meta','xml','blink','link','style','script','embed','object','iframe','frame','frameset','ilayer','layer','bgsound','title','base'); $ra2=array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate','onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange','onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick','ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate','onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete','onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel','onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart','onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop','onsubmit','onunload'); $ra=array_merge($ra1,$ra2); $found=true;//keepreplacingaslongasthepreviousroundreplacedsomething while($found==true){ $val_before=$val; for($i=0;$i<sizeof($ra);$i++){ $pattern='/'; for($j=0;$j<strlen($ra[$i]);$j++){ if($j>0){ $pattern.='('; $pattern.='(&#[xX]0{0,8}([9ab]);)'; $pattern.='|'; $pattern.='|(�{0,8}([9|10|13]);)'; $pattern.=')*'; } $pattern.=$ra[$i][$j]; } $pattern.='/i'; $replacement=substr($ra[$i],0,2).'<x>'.substr($ra[$i],2);//addin<>tonerfthetag $val=preg_replace($pattern,$replacement,$val);//filteroutthehextags if($val_before==$val){ //noreplacementsweremade,soexittheloop $found=false; } } } return$val; }
希望本文所述对大家的php程序设计有所帮助。