过滤在线编辑器产生的不安全html代码

帅的相对论 2015-12-16

过滤在线编辑器产生的不安全html代码;
<?php
/**
* 过滤在线编辑器产生的不安全html代码.
*
* PHP versions 4 and 5
*
* @copyright 版权所无,任意传播.
* @link http://www.52sunny.net
* @name html过滤
* @version v 0.0.10
* @author Lucklrj ([email protected],qq:7691272)
* @lastmodified 2006-06-09 10:42 (Tue, 2006-06-09)
* @notice 此版本只过滤js,框架,表单。
作者能力有限,使用本程序若产生任何安全问题,与本人无关。
欢迎来信与我交流。
*/
str="<tr><td bgcolor='#FFFFFF'>
<div style='url(123.offsetWidth)>";
//str="url(javascript:x)";

/*不需要过滤的数组*/
htm_on=array(
"<acronym","acronym>",
"<baseFont","baseFont>",
"<button","button>",
"<caption","caption>",
"<clientInformation","clientInformation>",
"<font","font>",
"<implementation","implementation>",
"<button","button>",
"<location","location>",
"<option","option>",
"<selection","selection>",
"<strong","strong>");

htm_on_uper=array(
"<ACRONYM","ACRONYM>",
"<BASEFONT","BASEFONT>",
"<BUTTON","BUTTON>",
"<CAPTION","CAPTION>",
"<CLIENTINFORMATION","CLIENTINFORMATION>",
"<FONT","FONT>",
"<IMPLEMENTATION","IMPLEMENTATION>",
"<BUTTON","BUTTON>",
"<LOCATION","LOCATION>",
"<OPTION","OPTION>",
"<SELECTION","SELECTION>",
"<STRONG","STRONG>");

/*字符格式*/
str=strtolower(str);
str=preg_replace("/s+/", " ", str);//过滤回车
str=preg_replace("/ +/", " ", str);//过滤多个空格

/*过滤/替换几种形式的js*/
str=preg_replace("/<(script.*?)>(.*?)<(/script.*?)>/si","",str);//删除<script>。。。</script>格式,
//str=preg_replace("/<(script.*?)>(.*?)<(/script.*?)>/si","&lt;\1&gt;\2&lt;\3&gt;",str);//替换为可以显示的,

str=preg_replace("/<(script.*?)>/si","",str);//删除<script>未封闭
//str=preg_replace("/<(script.*?)>/si","&lt;\1&gt;",str);//替换未封闭

/*删除/替换表单*/
str=preg_replace("/<(/?form.*?)>/si","",str);//删除表单
//str=preg_replace("/<(/?form.*?)>/si","&lt;\1&gt;",str);//替换表单

str=preg_replace("/<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si","",str);//删除框架
//str=preg_replace("/<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si","&lt;\1&gt;\2&lt;\3&gt;",str);//替换框架

/*过滤on事件*/
str=preg_replace("/href=(.+?)(["|'| |>])/ie","'href='.strtoupper('\1').'\2'",str);//把href=涉及到的on转换为大写。
str=str_replace(htm_on,htm_on_uper,str);//把<font,font>换为大写,dhtml标签字符,正则判断太烦琐,采用转换办法。
str=preg_replace("/(on[^ .<>]+?)([ |>])/s","\2",str);//取掉on事件

/*过滤超级连接的js*/
str=preg_replace("/(href|src|background|url|dynsrc|expression|codebase)[=:(]([ "']*?w+..*?|javascript|vbscript:[^>]*?)()?)([ >/])/si","\1='#' \3\4",str);//取掉href=javascript:

//返回小写字符
str=strtolower(str);
str=str_replace("&","&#x26;",str);
echo str;
?>

相关推荐