php过滤xss攻击的示例:
在对应的php文件中添加以下代码:
<?php
functionRemoveXSS($val){
//removeallnon-printablecharacters.CR(0a)andLF(0b)andTAB(9)areallowed
//thispreventssomecharacterre-spacingsuchas<java\0script>
//notethatyouhavetohandlesplitswith\n,\r,and\tlatersincethey*are*allowedinsomeinputs
$val=preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','',$val);
//straightreplacements,theusershouldneverneedthesesincethey'renormalcharacters
//thispreventslike<IMGSRC=@avascript:alert('XSS')>
$search='abcdefghijklmnopqrstuvwxyz';
$search.='ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search.='1234567890!@#$%^&*()';
$search.='~`";:?+/={}[]-_|\'\\';
for($i=0;$i<strlen($search);$i++){
//;?matchesthe;,whichisoptional
//0{0,7}matchesanypaddedzeros,whichareoptionalandgoupto8chars
//@@searchforthehexvalues
$val=preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i',$search[$i],$val);//witha;
//@@0{0,7}matches'0'zerotoseventimes
$val=preg_replace('/(�{0,8}'.ord($search[$i]).';?)/',$search[$i],$val);//witha;
}
//nowtheonlyremainingwhitespaceattacksare\t,\n,and\r
$ra1=Array('javascript','vbscript','expression','applet','meta','xml','blink','link','style','script','embed','object','iframe','frame','frameset','ilayer','layer','bgsound','title','base');
$ra2=Array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate','onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange','onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick','ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate','onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete','onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel','onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart','onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop','onsubmit','onunload');
$ra=array_merge($ra1,$ra2);
$found=true;//keepreplacingaslongasthepreviousroundreplacedsomething
while($found==true){
$val_before=$val;
for($i=0;$i<sizeof($ra);$i++){
$pattern='/';
for($j=0;$j<strlen($ra[$i]);$j++){
if($j>0){
$pattern.='(';
$pattern.='(&#[xX]0{0,8}([9ab]);)';
$pattern.='|';
$pattern.='|(�{0,8}([9|10|13]);)';
$pattern.=')*';
}
$pattern.=$ra[$i][$j];
}
$pattern.='/i';
$replacement=substr($ra[$i],0,2).'<x>'.substr($ra[$i],2);//addin<>tonerfthetag
$val=preg_replace($pattern,$replacement,$val);//filteroutthehextags
if($val_before==$val){
//noreplacementsweremade,soexittheloop
$found=false;
}
}
}
return$val;
}
了解更多php如何过滤xss攻击相关的解答,就上多想派(www.duoxiangpai.com)。
本文章由用户本地宝分享,版权归原作者,如侵犯,请联系(点这里联系),经核实,我们将第一时间删除。如若转载,请注明出处:https://www.duoxiangpai.com/64416.html