时间:2021-07-01 10:21:17 帮助过:25人阅读
$str = "A quote is bold";
// Outputs: A quote is <b>bold</b>
echo htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>
这样可以使非法的脚本失效。
htmlentities()
默认编码为 ISO-8859-1,如果你的非法脚本编码为其它,那么可能无法过滤掉,同时浏览器却可以识别和执行。这个问题我先找几个站点测试后再说。function RemoveXSS($val) {
// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
// this prevents some character re-spacing such as
// note that you have to handle splits with
, , and later since they *are* allowed in some inputs
$val = preg_replace(/([x00-x08][x0b-x0c][x0e-x20])/, , $val);
// straight replacements, the user should never need these since theyre normal characters
// this prevents like
$search = abcdefghijklmnopqrstuvwxyz;
$search .= ABCDEFGHIJKLMNOPQRSTUVWXYZ;
$search .= 1234567890!@#$%^&*();
$search .= ~`";:?+/={}[]-_|\;
for ($i = 0; $i < strlen($search); $i++) {
// ;? matches the ;, which is optional
// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
// @ @ search for the hex values
$val = preg_replace(/([x|X]0{0,8}.dechex(ord($search[$i])).;?)/i, $search[$i], $val); // with a ;
// @ @ 0{0,7} matches 0 zero to seven times
$val = preg_replace(/({0,8}.ord($search[$i]).;?)/, $search[$i], $val); // with a ;
}
// now the only remaining whitespace attacks are ,
, and
$ra1 = Array(javascript, vbscript, expression, applet, meta, xml, blink, link, style, script, embed, object, iframe, frame, frameset, ilayer, layer, bgsound, title, base);
$ra2 = Array(onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart,
http://www.bkjia.com/PHPjc/508507.htmlwww.bkjia.comtruehttp://www.bkjia.com/PHPjc/508507.htmlTechArticle其实这个话题很早就想说说了,发现国内不少PHP站点都有XSS漏洞。今天偶然看到PHP5的一个XSS漏洞,在此小结一下。顺便提醒,使用PHP5的朋...