php如何过滤xss攻击

php过滤xss攻击的示例：

在对应的php文件中添加以下代码：

<?php
functionRemoveXSS($val){
//removeallnon-printablecharacters.CR(0a)andLF(0b)andTAB(9)areallowed
//thispreventssomecharacterre-spacingsuchas<java\0script>
//notethatyouhavetohandlesplitswith\n,\r,and\tlatersincethey*are*allowedinsomeinputs
$val=preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','',$val);
//straightreplacements,theusershouldneverneedthesesincethey'renormalcharacters
//thispreventslike<IMGSRC=@avascript:alert('XSS')>
$search='abcdefghijklmnopqrstuvwxyz';
$search.='ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search.='1234567890!@#$%^&*()';
$search.='~`";:?+/={}[]-_|\'\\';
for($i=0;$i<strlen($search);$i++){
//;?matchesthe;,whichisoptional
//0{0,7}matchesanypaddedzeros,whichareoptionalandgoupto8chars
//@@searchforthehexvalues
$val=preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i',$search[$i],$val);//witha;
//@@0{0,7}matches'0'zerotoseventimes
$val=preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/',$search[$i],$val);//witha;
}
//nowtheonlyremainingwhitespaceattacksare\t,\n,and\r
$ra1=Array('javascript','vbscript','expression','applet','meta','xml','blink','link','style','script','embed','object','iframe','frame','frameset','ilayer','layer','bgsound','title','base');
$ra2=Array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate','onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange','onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick','ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate','onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete','onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel','onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart','onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop','onsubmit','onunload');
$ra=array_merge($ra1,$ra2);
$found=true;//keepreplacingaslongasthepreviousroundreplacedsomething
while($found==true){
$val_before=$val;
for($i=0;$i<sizeof($ra);$i++){
$pattern='/';
for($j=0;$j<strlen($ra[$i]);$j++){
if($j>0){
$pattern.='(';
$pattern.='(&#[xX]0{0,8}([9ab]);)';
$pattern.='|';
$pattern.='|(&#0{0,8}([9|10|13]);)';
$pattern.=')*';
}
$pattern.=$ra[$i][$j];
}
$pattern.='/i';
$replacement=substr($ra[$i],0,2).'<x>'.substr($ra[$i],2);//addin<>tonerfthetag
$val=preg_replace($pattern,$replacement,$val);//filteroutthehextags
if($val_before==$val){
//noreplacementsweremade,soexittheloop
$found=false;
}
}
}
return$val;
}