2018Web攻防训练营xss-filter过滤器介绍1.htmlspecialchars()函数2.htmlentities()函数3.strip_tags()函数4.自定义xssfilter课程内容01htmlspecialchars()函数htmlspecialchars()函数htmlspecialchars(string,flags,character-set,double_encode)参考链接:http://www.w3school.com.cn/php/func_string_htmlspecialchars.asp02htmlentities()函数htmlentities()函数这个函数对于过滤用户输入的数据非常有用。它会将一些特殊字符转换为HTML实体。例如,用户输入<时,就会被该函数转化为HTML实体<(<),输入>就被转为实体>.htmlentities(string,flags,character-set,double_encode)参考链接:http://www.w3school.com.cn/php/func_string_htmlentities.asphttp://www.w3school.com.cn/html/html_entities.asp返回Whois信息03strip_tags()函数strip_tags()函数strip_tags()函数剥去字符串中的HTML、XML以及PHP的标签。注释:该函数始终会剥离HTML注释。这点无法通过allow参数改变。注释:该函数是二进制安全的。strip_tags(string,allow)参考链接:http://www.w3school.com.cn/php/func_string_strip_tags.asp04自定义xssfilter自定义xssfilterfunctionxss_clean($data){//Fix&entity\n;$data=str_replace(array('&','<','>'),array('&','<','>'),$data);$data=preg_replace('/(&#*\w+)[\x00-\x20]+;/u','$1;',$data);$data=preg_replace('/(&#x*[0-9A-F]+);*/iu','$1;',$data);$data=html_entity_decode($data,ENT_COMPAT,'UTF-8');//Removeanyattributestartingwith"on"orxmlns$data=preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu','$1>',$data);//Removejavascript:andvbscript:protocols$data=preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu','$1=$2nojavascript...',$data);$data=preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu','$1=$2novbscript...',$data);$data=preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u','$1=$2nomozbinding...',$data);//OnlyworksinIE:
