帅的相对论 2015-12-16
过滤在线编辑器产生的不安全html代码; <?php /** * 过滤在线编辑器产生的不安全html代码. * * PHP versions 4 and 5 * * @copyright 版权所无,任意传播. * @link http://www.52sunny.net * @name html过滤 * @version v 0.0.10 * @author Lucklrj ([email protected],qq:7691272) * @lastmodified 2006-06-09 10:42 (Tue, 2006-06-09) * @notice 此版本只过滤js,框架,表单。 作者能力有限,使用本程序若产生任何安全问题,与本人无关。 欢迎来信与我交流。 */ str="<tr><td bgcolor='#FFFFFF'> <div style='url(123.offsetWidth)>"; //str="url(javascript:x)"; /*不需要过滤的数组*/ htm_on=array( "<acronym","acronym>", "<baseFont","baseFont>", "<button","button>", "<caption","caption>", "<clientInformation","clientInformation>", "<font","font>", "<implementation","implementation>", "<button","button>", "<location","location>", "<option","option>", "<selection","selection>", "<strong","strong>"); htm_on_uper=array( "<ACRONYM","ACRONYM>", "<BASEFONT","BASEFONT>", "<BUTTON","BUTTON>", "<CAPTION","CAPTION>", "<CLIENTINFORMATION","CLIENTINFORMATION>", "<FONT","FONT>", "<IMPLEMENTATION","IMPLEMENTATION>", "<BUTTON","BUTTON>", "<LOCATION","LOCATION>", "<OPTION","OPTION>", "<SELECTION","SELECTION>", "<STRONG","STRONG>"); /*字符格式*/ str=strtolower(str); str=preg_replace("/s+/", " ", str);//过滤回车 str=preg_replace("/ +/", " ", str);//过滤多个空格 /*过滤/替换几种形式的js*/ str=preg_replace("/<(script.*?)>(.*?)<(/script.*?)>/si","",str);//删除<script>。。。</script>格式, //str=preg_replace("/<(script.*?)>(.*?)<(/script.*?)>/si","<\1>\2<\3>",str);//替换为可以显示的, str=preg_replace("/<(script.*?)>/si","",str);//删除<script>未封闭 //str=preg_replace("/<(script.*?)>/si","<\1>",str);//替换未封闭 /*删除/替换表单*/ str=preg_replace("/<(/?form.*?)>/si","",str);//删除表单 //str=preg_replace("/<(/?form.*?)>/si","<\1>",str);//替换表单 str=preg_replace("/<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si","",str);//删除框架 //str=preg_replace("/<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si","<\1>\2<\3>",str);//替换框架 /*过滤on事件*/ str=preg_replace("/href=(.+?)(["|'| |>])/ie","'href='.strtoupper('\1').'\2'",str);//把href=涉及到的on转换为大写。 str=str_replace(htm_on,htm_on_uper,str);//把<font,font>换为大写,dhtml标签字符,正则判断太烦琐,采用转换办法。 str=preg_replace("/(on[^ .<>]+?)([ |>])/s","\2",str);//取掉on事件 /*过滤超级连接的js*/ str=preg_replace("/(href|src|background|url|dynsrc|expression|codebase)[=:(]([ "']*?w+..*?|javascript|vbscript:[^>]*?)()?)([ >/])/si","\1='#' \3\4",str);//取掉href=javascript: //返回小写字符 str=strtolower(str); str=str_replace("&","&",str); echo str; ?>