网站备案前置审批 成都,广州市网络seo推广,旅行社网站规划与建设的流程,新闻30分我们在做网站的时候#xff0c;经常有input提交#xff0c;通常前端对input中的内容不做判断#xff0c;只做不为空等简单的操作。但是#xff0c;有的input中会提交一些javascript或者html,会给网站造成一定的危害。为此#xff0c;防止XSS注入的任务交给了后端#xff…我们在做网站的时候经常有input提交通常前端对input中的内容不做判断只做不为空等简单的操作。但是有的input中会提交一些javascript或者html,会给网站造成一定的危害。为此防止XSS注入的任务交给了后端后端防止XSS注入函数如下function RemoveXSS($val) {// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed// this prevents some character re-spacing such as // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs$val preg_replace(/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/, , $val);// straight replacements, the user should never need these since theyre normal characters// this prevents like $search abcdefghijklmnopqrstuvwxyz;$search . ABCDEFGHIJKLMNOPQRSTUVWXYZ;$search . 1234567890!#$%^*();$search . ~;:?/{}[]-_|\\\;for ($i 0; $i strlen($search); $i) {// ;? matches the ;, which is optional// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars// search for the hex values$val preg_replace(/([xX]0{0,8}.dechex(ord($search[$i])).;?)/i, $search[$i], $val); // with a ;// 0{0,7} matches 0 zero to seven times$val preg_replace(/({0,8}.ord($search[$i]).;?)/, $search[$i], $val); // with a ;}// now the only remaining whitespace attacks are \t, \n, and \r$ra1 Array(javascript, vbscript, expression, applet, meta, xml, blink, link, style, script, embed, object, iframe, frame, frameset, ilayer, layer, bgsound, title, base);$ra2 Array(onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload);$ra array_merge($ra1, $ra2);$found true; // keep replacing as long as the previous round replaced somethingwhile ($found true) {$val_before $val;for ($i 0; $i sizeof($ra); $i) {$pattern /;for ($j 0; $j strlen($ra[$i]); $j) {if ($j 0) {$pattern . (;$pattern . ([xX]0{0,8}([9ab]););$pattern . |;$pattern . |({0,8}([9|10|13]););$pattern . )*;}$pattern . $ra[$i][$j];}$pattern . /i;$replacement substr($ra[$i], 0, 2)..substr($ra[$i], 2); // add in to nerf the tag$val preg_replace($pattern, $replacement, $val); // filter out the hex tagsif ($val_before $val) {// no replacements were made, so exit the loop$found false;}}}return $val;}将前端传来的数据调用这个函数过滤一下就可以了。此函数来源于网络但是已经经过项目测试可以运行可以过滤XSS注入要是有什么不对或者有什么意见和建议请留言~~
