PHP Xss 处理
预防xss,页面中不同区域的字串应该使用不同的手段来处理,而不是一概的htmlspecialchars,简单+实用。
<?php /** * Xss 处理 * * 作者: 刘卫锋 (kevonliu@tencent.com) * 创建时间: 2013-07-04 * * $Id: Xss.php 48518 2013-07-05 03:35:04Z kevonliu $ */ class Xss { /** * 处理链接字串 * * @param string $str * @return string */ public static function link($str) { $pairs = array( '\'' => '%27', '"' => '%22', '<' => '%3C', '>' => '%3E', ); return strtr($str, $pairs); } /** * 处理js中的字串 * * @param string $str * @return string */ public static function js($str) { // See ECMA 262 section 7.8.4 for string literal format $pairs = array( // "\\" => "\\\\", // "\"" => "\\\"", // '\'' => '\\\'', '\"' => '\\x22', '\'' => '\\x39', '\\' => '\\x92', # To avoid closing the element or CDATA section '<' => '\\x3c', '>' => '\\x3e', # To avoid any complaints about bad entity refs '&' => '\\x26', # Work around https://bugzilla.mozilla.org/show_bug.cgi?id=274152 # Encode certain Unicode formatting chars so affected # versions of Gecko don't misinterpret our strings; # this is a common problem with Farsi text. "\xe2\x80\x8c" => "\\u200c", // ZERO WIDTH NON-JOINER "\xe2\x80\x8d" => "\\u200d", // ZERO WIDTH JOINER ); return strtr($str, $pairs); } /** * 处理html中的字串 * * @param string $str * @return string */ public static function html($str) { $pairs = array( '"' => '"', '\'' => ''', '&' => '&', '>' => '>', '<' => '<', ); return strtr($str, $pairs); } } ?>
以上是php版本的代码,其他语言均类似。
欢迎指正,共同进步~~
http://521-wf.com/archives/221.html