對網站發動XSS攻擊的方式有很多種,僅僅使用php的一些內置過濾函數是對付不了的,即使你將filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars,strip_tags這些函數都使用上了也不一定能保證絕對的安全。
現在有很多php開發框架都提供關於防XSS攻擊的過濾方法,下面和大家分享一個預防XSS攻擊和ajax跨域攻擊的函數,摘自某開發框架,相比於僅僅使用內置函數應該還是夠強了的吧。
function xss_clean($data){
// Fix &entityn;
$data=str_replace(array('&','<','>'),array('&','<','>'),$data);
$data=preg_replace('/(&#*w+)[x00-x20]+;/u','$1;',$data);
$data=preg_replace('/(&#x*[0-9A-F]+);*/iu','$1;',$data);
$data=html_entity_decode($data,ENT_COMPAT,'UTF-8');
// Remove any attribute starting with "on" or xmlns
$data=preg_replace('#(<[^>]+?[x00-x20"'])(?:onxmlns)[^>]*+>#iu','$1>',$data);
// Remove javascript: and vbscript: protocols
$data=preg_replace('#([a-z]*)[x00-x20]*=[x00-x20]*([`'"]*)[x00-x20]*j[x00-x20]*a[x00-x20]*v[x00-x20]*a[x00-x20]*s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:#iu','$1=$2nojavascript...',$data);
$data=preg_replace('#([a-z]*)[x00-x20]*=(['"]*)[x00-x20]*v[x00-x20]*b[x00-x20]*s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:#iu','$1=$2novbscript...',$data);
$data=preg_replace('#([a-z]*)[x00-x20]*=(['"]*)[x00-x20]*-moz-binding[x00-x20]*:#u','$1=$2nomozbinding...',$data);
// Only works in IE:
$data=preg_replace('#(<[^>]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?expression[x00-x20]*([^>]*+>#i','$1>',$data);
$data=preg_replace('#(<[^>]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?behaviour[x00-x20]*([^>]*+>#i','$1>',$data);
$data=preg_replace('#(<[^>]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:*[^>]*+>#iu','$1>',$data);
// Remove namespaced elements (we do not need them)
$data=preg_replace('#]*+>#i','',$data);
// http://www.Alixixi.com/
do{// Remove really unwanted tags
$old_data=$data;
$data=preg_replace('#]*+>#i','',$data);
}while($old_data!==$data);
// we are done...
return $data;
}
