PHP Xss 处理

预防xss，页面中不同区域的字串应该使用不同的手段来处理，而不是一概的htmlspecialchars，简单+实用。

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86

<?php /**  * Xss 处理  *  * 作者: 刘卫锋 (kevonliu@tencent.com)  * 创建时间: 2013-07-04  *  * $Id: Xss.php 48518 2013-07-05 03:35:04Z kevonliu $  */   class Xss {       /**      * 处理链接字串      *      * @param string $str      * @return string      */     public static function link($str) {           $pairs = array(             '\'' => '%27',             '"'  => '%22',             '<'  => '%3C',             '>'  => '%3E',         );           return strtr($str, $pairs);     }       /**      * 处理js中的字串      *      * @param string $str      * @return string      */     public static function js($str) {           // See ECMA 262 section 7.8.4 for string literal format         $pairs = array(             // "\\" => "\\\\",             // "\"" => "\\\"",             // '\'' => '\\\'',             '\"' => '\\x22',             '\'' => '\\x39',             '\\' => '\\x92',               # To avoid closing the element or CDATA section             '<' => '\\x3c',             '>' => '\\x3e',               # To avoid any complaints about bad entity refs             '&' => '\\x26',               # Work around https://bugzilla.mozilla.org/show_bug.cgi?id=274152             # Encode certain Unicode formatting chars so affected             # versions of Gecko don't misinterpret our strings;             # this is a common problem with Farsi text.             "\xe2\x80\x8c" => "\\u200c", // ZERO WIDTH NON-JOINER             "\xe2\x80\x8d" => "\\u200d", // ZERO WIDTH JOINER         );           return strtr($str, $pairs);     }       /**      * 处理html中的字串      *      * @param string $str      * @return string      */     public static function html($str) {           $pairs = array(             '"'  => '"',             '\'' => ''',             '&'  => '&',             '>'  => '>',             '<'  => '<',         );         return strtr($str, $pairs);     }   }   ?>

以上是php版本的代码，其他语言均类似。
欢迎指正，共同进步~~ 

http://521-wf.com/archives/221.html