Мы против XSS (JS)
07 мая 2009
Вот Вам две функции, которые я использую для борьбы с JS XSS т.е. инъекциями джава скриптов в поисковые поля форм.
Использование:
<?php // Чистит $_GET переменные от мусора (можно заменить на пост, можно переписать функцию) excludeJS_XSS(); // чистит определенну. переменную (работа по проще) $var = searchValue($_POST['search_value']); ?>
function excludeJS_XSS() { if (sizeof($_GET)) { foreach ($_GET as $key => $string) { // JS $string = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([\`\'\"]*)[\\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iU','$1=$2nojavascript...',$string); $string = preg_replace('#([a-z]*)[\x00-\x20]*=([\'\"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iU','$1=$2novbscript...',$string); // CSS $string = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([\`\'\"]*)[\\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iU','$1=$2nojavascript...',$string); $string = preg_replace('#([a-z]*)[\x00-\x20]*=([\'\"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iU','$1=$2novbscript...',$string); // LOOP TAGS do { $oldstring = $string; $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i','',$string); } while ($oldstring != $string); // HTML Attributes XSS //$string = str_replace('">','',$string); //$string = str_replace('<"','',$string); //$string = str_replace("<'",'',$string); //$string = str_replace("'>",'',$string); $_GET[$key] = $string; } } if (sizeof($_POST)) { foreach ($_POST as $key => $string) { // JS $string = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([\`\'\"]*)[\\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iU','$1=$2nojavascript...',$string); $string = preg_replace('#([a-z]*)[\x00-\x20]*=([\'\"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iU','$1=$2novbscript...',$string); // CSS $string = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([\`\'\"]*)[\\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iU','$1=$2nojavascript...',$string); $string = preg_replace('#([a-z]*)[\x00-\x20]*=([\'\"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iU','$1=$2novbscript...',$string); // LOOP TAGS do { $oldstring = $string; $string = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i','',$string); } while ($oldstring != $string); // HTML Attributes XSS //$string = str_replace('">','',$string); //$string = str_replace('<"','',$string); //$string = str_replace("<'",'',$string); //$string = str_replace("'>",'',$string); $_POST[$key] = $string; } } } function searchValue($text) { $text = urldecode($text); $text = html_entity_decode($text, ENT_QUOTES); $text = strip_tags($text); $text = str_replace('">','',$text); $text = str_replace('<"','',$text); $text = str_replace("<'",'',$text); $text = str_replace("'>",'',$text); $text = preg_replace('#^Например:\s#','',$text); return $text; }
Последние комментарии