php 去除XSS脚本攻击函数

最新推荐文章于 2023-05-04 10:22:52 发布

原创

最新推荐文章于 2023-05-04 10:22:52 发布 · 2.5k 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#php 去除XSS脚本攻击函数 #PHP XSS #XSS #乐杨俊

文章讨论了PHP中的remove_XSS函数因性能低下和安全性不足而应被淘汰，并推荐使用strip_tags和htmlspecialchars作为更安全、高效的XSS过滤方案。

一：remove_XSS方法

<?php
	/**
	 * @去除XSS（跨站脚本攻击）的函数
	 * @par $val 字符串参数，可能包含恶意的脚本代码如<script language="javascript">alert("hello world");</script>
	 * @return  返回处理后的字符串
	 **/
	function remove_XSS($val) {
   
   
	    // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
	    // this prevents some character re-spacing such as <java\0script>
	    // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
	    $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val);

	    // straight replacements, the user should never need these since they're normal characters
	    // this prevents like <IMG SRC=@avascript:alert('XSS')>
	    $search = 'abcdefghijklmnopqrstuvwxyz';
	    $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
	    $search .= '1234567890!@#$%^&*()';
	    $search .= '~`";:?+/={}[]-_|\'\\';
	    for ($i = 0; $i < strlen($search); $i++) {
   
   
	        // ;? matches the ;, which is optional
	        // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars

	        // @ @ search for the hex values
	        $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
	        // @ @ 0{0,7} matches '0' zero to seven times
	        $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val)