PHP Xss 处理

预防xss,页面中不同区域的字串应该使用不同的手段来处理,而不是一概的htmlspecialchars,简单+实用。

<?php
/**
 * Xss 处理
 *
 * 作者: 刘卫锋 (kevonliu@tencent.com)
 * 创建时间: 2013-07-04
 *
 * $Id: Xss.php 48518 2013-07-05 03:35:04Z kevonliu $
 */

class Xss {

    /**
     * 处理链接字串
     *
     * @param string $str
     * @return string
     */
    public static function link($str) {

        $pairs = array(
            '\'' => '%27',
            '"'  => '%22',
            '<'  => '%3C',
            '>'  => '%3E',
        );

        return strtr($str, $pairs);
    }

    /**
     * 处理js中的字串
     *
     * @param string $str
     * @return string
     */
    public static function js($str) {

        // See ECMA 262 section 7.8.4 for string literal format
        $pairs = array(
            // "\\" => "\\\\",
            // "\"" => "\\\"",
            // '\'' => '\\\'',
            '\"' => '\\x22',
            '\'' => '\\x39',
            '\\' => '\\x92',

            # To avoid closing the element or CDATA section
            '<' => '\\x3c',
            '>' => '\\x3e',

            # To avoid any complaints about bad entity refs
            '&' => '\\x26',

            # Work around https://bugzilla.mozilla.org/show_bug.cgi?id=274152
            # Encode certain Unicode formatting chars so affected
            # versions of Gecko don't misinterpret our strings;
            # this is a common problem with Farsi text.
            "\xe2\x80\x8c" => "\\u200c", // ZERO WIDTH NON-JOINER
            "\xe2\x80\x8d" => "\\u200d", // ZERO WIDTH JOINER
        );

        return strtr($str, $pairs);
    }

    /**
     * 处理html中的字串
     *
     * @param string $str
     * @return string
     */
    public static function html($str) {

        $pairs = array(
            '"'  => '"',
            '\'' => ''',
            '&'  => '&',
            '>'  => '>',
            '<'  => '<',
        );
        return strtr($str, $pairs);
    }

}

?>

以上是php版本的代码,其他语言均类似。
欢迎指正,共同进步~~ 

http://521-wf.com/archives/221.html

posted @ 2020-07-08 21:43  笠航  阅读(211)  评论(0编辑  收藏  举报