mthoutai

  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理
php 一个过虑xxs的代码

一个过虑xxs的代码

public static function removeXSS($str) {
		$str = str_replace('<!--  -->', '', $str);
		$str = preg_replace('~/\*[ ]+\*/~i', '', $str);
		$str = preg_replace('/\\\0{0,4}4[0-9a-f]/is', '', $str);
		$str = preg_replace('/\\\0{0,4}5[0-9a]/is', '', $str);
		$str = preg_replace('/\\\0{0,4}6[0-9a-f]/is', '', $str);
		$str = preg_replace('/\\\0{0,4}7[0-9a]/is', '', $str);
		$str = preg_replace('/&#x0{0,8}[0-9a-f]{2};/is', '', $str);
		$str = preg_replace('/&#0{0,8}[0-9]{2,3};/is', '', $str);
		$str = preg_replace('/&#0{0,8}[0-9]{2,3};/is', '', $str);

		$str = htmlspecialchars($str);
		//$str = preg_replace('/</i', '<', $str);
		//$str = preg_replace('/>/i', '>', $str);

		// 非成对标签
		$lone_tags = array("img", "param", "br", "hr");
		foreach ($lone_tags as $key => $val)
		{
			$val = preg_quote($val);
			$str = preg_replace('/<' . $val . '(.*)(\/?)>/isU', '<' . $val . "\\1\\2>", $str);
			$str = self::transCase($str);
			$str = preg_replace_callback('/<' . $val . '(.+?)>/i', create_function('$temp', 'return str_replace(""","\"",$temp[0]);'), $str);
		}
		$str = preg_replace('/&/i', '&', $str);

		// 成对标签
		$double_tags = array("table", "tr", "td", "font", "a", "object", "embed", "p", "strong", "em", "u", "ol", "ul", "li", "div", "tbody", "span", "blockquote", "pre", "b", "font");
		foreach ($double_tags as $key => $val)
		{
			$val = preg_quote($val);
			$str = preg_replace('/<' . $val . '(.*)>/isU', '<' . $val . "\\1>", $str);
			$str = self::transCase($str);
			$str = preg_replace_callback('/<' . $val . '(.+?)>/i', create_function('$temp', 'return str_replace(""","\"",$temp[0]);'), $str);
			$str = preg_replace('/<\/' . $val . '>/is', '</' . $val . ">", $str);
		}
		// 清理js
		$tags = Array(
				'javascript',
				'vbscript',
				'expression',
				'applet',
				'meta',
				'xml',
				'behaviour',
				'blink',
				'link',
				'style',
				'script',
				'embed',
				'object',
				'iframe',
				'frame',
				'frameset',
				'ilayer',
				'layer',
				'bgsound',
				'title',
				'base',
				'font'
		);

		foreach ($tags as $tag)
		{
			$tag = preg_quote($tag);
			$str = preg_replace('/' . $tag . '\(.*\)/isU', '\\1', $str);
			$str = preg_replace('/' . $tag . '\s*:/isU', $tag . '\:', $str);
		}

		$str = preg_replace('/[\s]+on[\w]+[\s]*=/is', '', $str);

		Return $str;
	}
链接地址:https://github.com/sillydong/CZD_Yaf_Extension/blob/master/library/Tools.php


不错的yaf封闭mysql地址  https://github.com/jonsonxu/yaf

posted on 2017-04-26 15:53  mthoutai  阅读(292)  评论(0编辑  收藏  举报