这是一段防入侵的替换代码,网上找来的,我对16进制不太懂,想测试下这段话,然后写了0x0061等等让他去替换,他都不理我,郁闷了,谁能写一些能让这个语句替换的词来给我看下吗,谢谢! $str = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $str);
$str = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $str);
$str = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $str);
$search = array(a, b, c);
$str = "a";
for($i=0; $i<count($search); $i++) {
echo preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $str);
}
那&是什么意思?连接符?这不是asp下面的吗?
<?php
//a,b转义成html代码
$str = "ab";
//html_entity_decode:转换html实体到字符,你去了解下转义就知道什么这个Rss跨站攻击函数的作用
echo html_entity_decode($str);
?>
$search = 'abcdefghijklmnopqrstuvwxyz';
$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search .= '1234567890!@#$%^&*()';
$search .= '~`";:?+/={}[]-_|\'\\';
for ($i = 0; $i < strlen($search); $i++) {
$str = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $str);
$str = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $str);
} 有了html_entity_decode这个函数是不是没必要做for这个循环了,直接html_entity_decode可以吗?$str = html_entity_decode($str);更进一步,我在config文件里直接把接收到的所有变量addslashes(html_entity_decode($str))可以吗?
function RemoveXSS($str) {
$str = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $str);
$search = 'abcdefghijklmnopqrstuvwxyz';
$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search .= '1234567890!@#$%^&*()';
$search .= '~`";:?+/={}[]-_|\'\\';
for ($i = 0; $i < strlen($search); $i++) {
$str = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $str);
$str = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $str);
}
$str = preg_replace('/<script.*?<\/script>|<iframe.*?<\/iframe>|expression[\(][^\;\}]*[\;\}]/is', '', $str);
$str = addslashes(preg_replace('/<(.*?)>/ise', "'<'.preg_replace(array('/javascript:[^\"\']*/is', '/on.*?[ \\t\\n]*=[ \\t\\n]*[\"\'][^\"\']*[\"\']/is', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", stripslashes($str)));
return $str;
}
echo RemoveXSS("<script>alert('fsdafads');</script>");
echo RemoveXSS("<iframe>alert('fsdafads');</iframe>");
echo RemoveXSS("<a href='javascript:test()'>fdasfds</a>");
?>