流传的移除XSS攻击的php函数 The goal of this function is to be a generic function that can be used to parse almost any input and render it XSS safe. For more information on actual XSS attacks, check out http://ha.ckers.org/xss.html. Another 流传的移除XSS攻击的php函数The goal of this function is to be a generic function that can be used to parse almost any input and render it XSS safe. For more information on actual XSS attacks, check out http://ha.ckers.org/xss.html. Another excellent site is the XSS Database which details each attack and how it works.$search = "'abcdefghijklmnopqrstuvwxyz';$search.= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';$search.= '1234567890!@#$%^&*()';$search.= '~`";:?+/={}[]-_|\'\\';for ($i = 0; $i 0) {$pattern .= '(';$pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?';$pattern .= '|(�{0,8}([9][10][13]);?)?';$pattern .= ')?';}$pattern .= $ra[$i][$j];}$pattern .= '/i';$replacement = substr($ra[$i], 0, 2).''.substr($ra[$i], 2); // add in to nerf the tag$val = preg_replace($pattern, $replacement, $val); // filter out the hex tagsif ($val_before == $val) {// no replacements were made, so exit the loop$found = false;}}}return $val;}}?>登录后复制Discuz系统中 防止XSS漏洞攻击，过滤HTML危险标签属性的PHP函数//屏蔽htmlfunction checkhtml($html) {$html = stripslashes($html);if(!checkperm('allowhtml')) {preg_match_all("//is", $html, $ms);$searchs[] = '';$replaces[] = '>';if($ms[1]) {$allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|object|param|embed';//允许的标签$ms[1] = array_unique($ms[1]);foreach ($ms[1] as $value) {$searchs[] = "";$value = shtmlspecialchars($value);$value = str_replace(array('\','/*'), array('.','/.'), $value);$skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate','onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange','onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick','ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate','onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete','onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel','onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart','onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop','onsubmit','onunload','javascript','script','eval','behaviour','expression','style','class');$skipstr = implode('|', $skipkeys);$value = preg_replace(array("/($skipstr)/i"), '.', $value);if(!preg_match("/^[/|s]?($allowtags)(s+|$)/is", $value)) {$value = '';}$replaces[] = empty($value)?'':"";}}$html = str_replace($searchs, $replaces, $html);}$html = addslashes($html);return $html;}登录后复制 原文地址：PHP通用的XSS攻击过滤函数，Discuz系统中 防止XSS漏洞攻击，过滤HTML危险标签属性的P, 感谢原作者分享。