2009/9/5

移除removexss攻擊語法

xss攻擊

何謂xss攻擊
可參考http://anti-hacker.blogspot.com/2008/01/xsscross-site-script.html
簡單的說
就是在post欄位中塞一些惡意語法

以下是移除xss語法的function
參考http://kallahar.com/smallprojects/php_xss_filter_function.php

function RemoveXSS($val) {
// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
// this prevents some character re-spacing such as
// note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
$val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val);

// straight replacements, the user should never need these since they're normal characters
// this prevents like
$search = 'abcdefghijklmnopqrstuvwxyz';
$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search .= '1234567890!@#$%^&*()';
$search .= '~`";:?+/={}[]-_|\'\\';
for ($i = 0; $i < val =" preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i'," val =" preg_replace('/(�{0,8}'.ord($search[$i]).';?)/'," ra1 =" Array('javascript'," ra2 =" Array('onabort'," ra =" array_merge($ra1," found =" true;" found ="=" val_before =" $val;" i =" 0;" pattern =" '/';" j =" 0;"> 0) {
$pattern .= '(';
$pattern .= '(&#[xX]0{0,8}([9ab]);)';
$pattern .= '|';
$pattern .= '|(�{0,8}([9|10|13]);)';
$pattern .= ')*';
}
$pattern .= $ra[$i][$j];
}
$pattern .= '/i';
$replacement = substr($ra[$i], 0, 2).''.substr($ra[$i], 2); // add in <> to nerf the tag
$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
if ($val_before == $val) {
// no replacements were made, so exit the loop
$found = false;
}
}
}
return $val;
}

沒有留言: