php安全字段和防止XSS跨站脚本攻击过滤函数
Posted 圆柱模板
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了php安全字段和防止XSS跨站脚本攻击过滤函数相关的知识,希望对你有一定的参考价值。
function escape($string) {
global $_POST;
$search = array (
‘/</i‘,
‘/>/i‘,
‘/">/i‘,
‘/union/i‘,
‘/load_file(s*(/*.**/)?s*)+(/i‘,
‘/into(s*(/*.**/)?s*)+outfile/i‘,
‘/or/i‘,
‘/<([/]?)script([^>]*?)>/si‘,
‘/<([/]?)iframe([^>]*?)>/si‘,
‘/<([/]?)frame([^>]*?)>/si‘
);
$replace = array (
‘<‘,
‘>‘,
‘">‘,
‘union ‘,
‘load_file (‘,
‘into outfile‘,
‘or ‘,
‘<\1script\2>‘,
‘<\1iframe\2>‘,
‘<\1frame\2>‘
);
if (is_array ( $string )) {
$key = array_keys ( $string );
$size = sizeof ( $key );
for($i = 0; $i < $size; $i ++) {
$string [$key [$i]] = escape ( $string [$key [$i]] );
}
} else {
if (! $_POST [‘stats_code‘] && ! $_POST [‘ad_type_code_content‘]) {
$string = str_replace ( array (
‘
‘,
‘
‘
), array (
chr ( 10 ),
chr ( 13 )
), preg_replace ( $search, $replace, $string ) );
$string = remove_xss ( $string );
} else {
$string = $string;
}
}
return $string;
}
function remove_xss($val) {
$val = preg_replace ( ‘/([x00-x08x0b-x0cx0e-x19])/‘, ‘‘, $val );
$search = ‘abcdefghijklmnopqrstuvwxyz‘;
$search .= ‘ABCDEFGHIJKLMNOPQRSTUVWXYZ‘;
$search .= ‘1234567890!@#$%^&*()‘;
$search .= ‘~`";:?+/={}[]-_|‘\‘;
for($i = 0; $i < strlen ( $search ); $i ++) {
$val = preg_replace ( ‘/(&#[xX]0{0,8}‘ . dechex ( ord ( $search [$i] ) ) . ‘;?)/i‘, $search [$i], $val );
$val = preg_replace ( ‘/(?{0,8}‘ . ord ( $search [$i] ) . ‘;?)/‘, $search [$i], $val );
}
$ra1 = array (
‘javascript‘,
‘vbscript‘,
‘expression‘,
‘applet‘,
‘meta‘,
‘xml‘,
‘blink‘,
‘script‘,
‘object‘,
‘iframe‘,
‘frame‘,
‘frameset‘,
‘ilayer‘,
‘bgsound‘
);
$ra2 = array (
‘onabort‘,
‘onactivate‘,
‘onafterprint‘,
‘onafterupdate‘,
‘onbeforeactivate‘,
‘onbeforecopy‘,
‘onbeforecut‘,
‘onbeforedeactivate‘,
‘onbeforeeditfocus‘,
‘onbeforepaste‘,
‘onbeforeprint‘,
‘onbeforeunload‘,
‘onbeforeupdate‘,
‘onblur‘,
‘onbounce‘,
‘oncellchange‘,
‘onchange‘,
‘onclick‘,
‘oncontextmenu‘,
‘oncontrolselect‘,
‘oncopy‘,
‘oncut‘,
‘ondataavailable‘,
‘ondatasetchanged‘,
‘ondatasetcomplete‘,
‘ondblclick‘,
‘ondeactivate‘,
‘ondrag‘,
‘ondragend‘,
‘ondragenter‘,
‘ondragleave‘,
‘ondragover‘,
‘ondragstart‘,
‘ondrop‘,
‘onerror‘,
‘onerrorupdate‘,
‘onfilterchange‘,
‘onfinish‘,
‘onfocus‘,
‘onfocusin‘,
‘onfocusout‘,
‘onhelp‘,
‘onkeydown‘,
‘onkeypress‘,
‘onkeyup‘,
‘onlayoutcomplete‘,
‘onload‘,
‘onlosecapture‘,
‘onmousedown‘,
‘onmouseenter‘,
‘onmouseleave‘,
‘onmousemove‘,
‘onmouseout‘,
‘onmouseover‘,
‘onmouseup‘,
‘onmousewheel‘,
‘onmove‘,
‘onmoveend‘,
‘onmovestart‘,
‘onpaste‘,
‘onpropertychange‘,
‘onreadystatechange‘,
‘onreset‘,
‘onresize‘,
‘onresizeend‘,
‘onresizestart‘,
‘onrowenter‘,
‘onrowexit‘,
‘onrowsdelete‘,
‘onrowsinserted‘,
‘onscroll‘,
‘onselect‘,
‘onselectionchange‘,
‘onselectstart‘,
‘onstart‘,
‘onstop‘,
‘onsubmit‘,
‘onunload‘
);
$ra = array_merge ( $ra1, $ra2 );
$found = true;
while ( $found == true ) {
$val_before = $val;
for($i = 0; $i < sizeof ( $ra ); $i ++) {
$pattern = ‘/‘;
for($j = 0; $j < strlen ( $ra [$i] ); $j ++) {
if ($j > 0) {
$pattern .= ‘(‘;
$pattern .= ‘(&#[xX]0{0,8}([9ab]);)‘;
$pattern .= ‘|‘;
$pattern .= ‘|(?{0,8}([9|10|13]);)‘;
$pattern .= ‘)*‘;
}
$pattern .= $ra [$i] [$j];
}
$pattern .= ‘/i‘;
$replacement = substr ( $ra [$i], 0, 2 ) . ‘ ‘ . substr ( $ra [$i], 2 );
$val = preg_replace ( $pattern, $replacement, $val );
if ($val_before == $val) {
$found = false;
}
}
}
return $val;
}
以上是关于php安全字段和防止XSS跨站脚本攻击过滤函数的主要内容,如果未能解决你的问题,请参考以下文章
如何实现php的安全最大化?怎样避免sql注入漏洞和xss跨站脚本攻击漏洞