php如何过滤xss攻击

本地宝 玩转数码

php如何过滤xss攻击

php过滤xss攻击的示例:

在对应的php文件中添加以下代码:

<?php

functionRemoveXSS($val){

//removeallnon-printablecharacters.CR(0a)andLF(0b)andTAB(9)areallowed

//thispreventssomecharacterre-spacingsuchas<java\0script>

//notethatyouhavetohandlesplitswith\n,\r,and\tlatersincethey*are*allowedinsomeinputs

$val=preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','',$val);

//straightreplacements,theusershouldneverneedthesesincethey'renormalcharacters

//thispreventslike<IMGSRC=@avascript:alert('XSS')>

$search='abcdefghijklmnopqrstuvwxyz';

$search.='ABCDEFGHIJKLMNOPQRSTUVWXYZ';

$search.='1234567890!@#$%^&*()';

$search.='~`";:?+/={}[]-_|\'\\';

for($i=0;$i<strlen($search);$i++){

//;?matchesthe;,whichisoptional

//0{0,7}matchesanypaddedzeros,whichareoptionalandgoupto8chars

//@@searchforthehexvalues

$val=preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i',$search[$i],$val);//witha;

//@@0{0,7}matches'0'zerotoseventimes

$val=preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/',$search[$i],$val);//witha;

}

//nowtheonlyremainingwhitespaceattacksare\t,\n,and\r

$ra1=Array('javascript','vbscript','expression','applet','meta','xml','blink','link','style','script','embed','object','iframe','frame','frameset','ilayer','layer','bgsound','title','base');

$ra2=Array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate','onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange','onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick','ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate','onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete','onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel','onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart','onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop','onsubmit','onunload');

$ra=array_merge($ra1,$ra2);

$found=true;//keepreplacingaslongasthepreviousroundreplacedsomething

while($found==true){

$val_before=$val;

for($i=0;$i<sizeof($ra);$i++){

$pattern='/';

for($j=0;$j<strlen($ra[$i]);$j++){

if($j>0){

$pattern.='(';

$pattern.='(&#[xX]0{0,8}([9ab]);)';

$pattern.='|';

$pattern.='|(&#0{0,8}([9|10|13]);)';

$pattern.=')*';

}

$pattern.=$ra[$i][$j];

}

$pattern.='/i';

$replacement=substr($ra[$i],0,2).'<x>'.substr($ra[$i],2);//addin<>tonerfthetag

$val=preg_replace($pattern,$replacement,$val);//filteroutthehextags

if($val_before==$val){

//noreplacementsweremade,soexittheloop

$found=false;

}

}

}

return$val;

}

了解更多php如何过滤xss攻击相关的解答,就上多想派(www.duoxiangpai.com)。

相关推荐:

  1. 常用的XSS攻击手段有哪些
  2. php和java建站哪个好
  3. 前端如何防止xss攻击
  4. php怎么做cdn加速
  5. antixss怎么防止xss攻击
  6. django如何防止xss攻击
  7. xss攻击原理是什么
  8. php提供哪些函数来避免sql注入

本文章由用户本地宝分享,版权归原作者,如侵犯,请联系(点这里联系),经核实,我们将第一时间删除。如若转载,请注明出处:https://www.duoxiangpai.com/64416.html

(0)
本地宝本地宝

相关推荐