一个过虑xxs的代码
public static function removeXSS($str) { $str = str_replace('<!-- -->', '', $str); $str = preg_replace('~/\*[ ]+\*/~i', '', $str); $str = preg_replace('/\\\0{0,4}4[0-9a-f]/is', '', $str); $str = preg_replace('/\\\0{0,4}5[0-9a]/is', '', $str); $str = preg_replace('/\\\0{0,4}6[0-9a-f]/is', '', $str); $str = preg_replace('/\\\0{0,4}7[0-9a]/is', '', $str); $str = preg_replace('/�{0,8}[0-9a-f]{2};/is', '', $str); $str = preg_replace('/�{0,8}[0-9]{2,3};/is', '', $str); $str = preg_replace('/�{0,8}[0-9]{2,3};/is', '', $str); $str = htmlspecialchars($str); //$str = preg_replace('/</i', '<', $str); //$str = preg_replace('/>/i', '>', $str); // 非成对标签 $lone_tags = array("img", "param", "br", "hr"); foreach ($lone_tags as $key => $val) { $val = preg_quote($val); $str = preg_replace('/<' . $val . '(.*)(\/?)>/isU', '<' . $val . "\\1\\2>", $str); $str = self::transCase($str); $str = preg_replace_callback('/<' . $val . '(.+?)>/i', create_function('$temp', 'return str_replace(""","\"",$temp[0]);'), $str); } $str = preg_replace('/&/i', '&', $str); // 成对标签 $double_tags = array("table", "tr", "td", "font", "a", "object", "embed", "p", "strong", "em", "u", "ol", "ul", "li", "div", "tbody", "span", "blockquote", "pre", "b", "font"); foreach ($double_tags as $key => $val) { $val = preg_quote($val); $str = preg_replace('/<' . $val . '(.*)>/isU', '<' . $val . "\\1>", $str); $str = self::transCase($str); $str = preg_replace_callback('/<' . $val . '(.+?)>/i', create_function('$temp', 'return str_replace(""","\"",$temp[0]);'), $str); $str = preg_replace('/<\/' . $val . '>/is', '</' . $val . ">", $str); } // 清理js $tags = Array( 'javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'behaviour', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'font' ); foreach ($tags as $tag) { $tag = preg_quote($tag); $str = preg_replace('/' . $tag . '\(.*\)/isU', '\\1', $str); $str = preg_replace('/' . $tag . '\s*:/isU', $tag . '\:', $str); } $str = preg_replace('/[\s]+on[\w]+[\s]*=/is', '', $str); Return $str; }链接地址:https://github.com/sillydong/CZD_Yaf_Extension/blob/master/library/Tools.php
不错的yaf封闭mysql地址 https://github.com/jonsonxu/yaf