首页研究院技术与艺术网页技术

PHP几种防范XSS攻击的函数

发布单位:索蓝时 发布时间:2012年4月15日 浏览次数:2346
声明:
1、为保护客户商业秘密或知识产权,部分文字、图片、声音、视频已经过处理,并非真实外观;
2、未经本公司许可,禁止以一切形式转载、摘编、复制本站的资源,本公司将追究违反上述声明者相关法律责任。

找了一些xss清除的函数,有些是国外的,可能对中文支持有问题

1、网上最流行的removexss函数

//存在几种xss函数,RemoveXSS函数 /*ASCII 码(十六进制)为 00 至 08 0b 至 0c 0e 至 19 的字符为空 */ /* $string = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $string); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@javascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz' .'ABCDEFGHIJKLMNOPQRSTUVWXYZ' .'1234567890!@#$%^&*()' .'~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $string = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $string); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $string = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $string); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra = Array( 'javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $string_before = $string; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '( (&#[xX]0{0,8}([9ab]);) | |(&#0{0,8}([9|10|13]);) )*'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $string = preg_replace($pattern, $replacement, $string); // filter out the hex tags if ($string_before == $string) { // no replacements were made, so exit the loop $found = false; } } } */ 

2、xss_clean

原网址:http://stackoverflow.com/questions/1336776/xss-filtering-function-in-php

 

function xss_clean($data)
{
// Fix &entity\n;
$data
= str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
$data
= preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data
= preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data
= html_entity_decode($data, ENT_COMPAT, 'UTF-8');

// Remove any attribute starting with "on" or xmlns
$data
= preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

// Remove javascript: and vbscript: protocols
$data
= preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data
= preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data
= preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data
= preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data
= preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data
= preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

// Remove namespaced elements (we do not need them)
$data
= preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

do
{
       
// Remove really unwanted tags
        $old_data
= $data;
        $data
= preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);

// we are done...
return $data;
}
3、cleanxss

 原网站:http://www.itshacked.com/103/php-function-to-prevent-cross-site-scripting-xss-attacks.html

 

function cleanxss($input)
{
/// Prevents XXS Attacks www.itshacked.com
$search = array(
'@&lt;script[^&gt;]*?&gt;.*?&lt;/script&gt;@si',   // Strip out javascript
'@&lt;[\/\!]*?[^&lt;&gt;]*?&gt;@si',            // Strip out HTML tags
'@&lt;style[^&gt;]*?&gt;.*?&lt;/style&gt;@siU',    // Strip style tags properly
'@&lt;![\s\S]*?--[ \t\n\r]*&gt;@'         // Strip multi-line comments
);
 
$inputx = preg_replace($search, '', $input);
$inputx = trim($inputx);
if(get_magic_quotes_gpc())
{
$inputx = stripslashes($inputx);
}
$inputx = mysql_real_escape_string($inputx);
return $inputx;
 
}