利用PHP编程防范XSS跨站脚本攻击

利用PHP编程防范XSS跨站脚本攻击

国内不少论坛都存在跨站脚本漏洞，国外(也很)多这样(的)例子，甚至Google(也)出现过，不过在12月初时修正了。(编者注：关于跨站脚本漏洞攻击，读者可参阅《详解XSS跨站脚本攻击》)。跨站攻击(很)容易(就)可以构造，而且非常隐蔽，不易被查觉（通常盗取信息后马上跳转回原页面）。

　　如何攻击，在此不作说明（(也)不要问我），主要谈谈如何防范。首先，跨站脚本攻击都(是)由于对用户(的)输入没有进行严格(的)过滤造成(的)，所以我们必须在所有数据进入我们(的)网站和数据库之前把可能(的)危险拦截。针对非法(的)HTML代码包括单双引号等，可以使用htmlentities() 。

＜?php
$str = "A quote is ＜b＞bold＜/b＞";
// Outputs: A quote is <b>bold</b>
echo htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?＞

 

　　这样可以使非法(的)脚本失效。

　　但(是)要注意一点，htmlentities()默认编码为 ISO-8859-1，如果你(的)非法脚本编码为其它，那么可能无法过滤掉，同时浏览器却可以识别和执行。这个问题我先找几个站点测试后再说。

　　这里提供一个过滤非法脚本(的)函数：

function RemoveXSS($val) {
　// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
　// this prevents some character re-spacing such as ＜javascript＞
　// note that you have to handle splits with
,
, and 　　 later since they *are* allowed in some inputs
　$val = preg_replace(/([x00-x08][x0b-x0c][x0e-x20])/, , $val);
　// straight replacements, the user should never need these since theyre normal characters
　// this prevents like ＜IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&
_#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29＞
　$search = abcdefghijklmnopqrstuvwxyz;
　$search .= ABCDEFGHIJKLMNOPQRSTUVWXYZ;
　$search .= 1234567890!@#$%^&*();
　$search .= ~`";:?+/={}[]-_|;
　for ($i = 0; $i ＜ strlen($search); $i++) {
// ;? matches the ;, which is optional
// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
// &#x0040 @ search for the hex values
$val = preg_replace(/(&#[x|X]0{0,8}.dechex(ord($search[$i])).;?)/i, $search[$i], $val); // with a ;
// &#00064 @ 0{0,7} matches 0 zero to seven times
$val = preg_replace(/(&#0{0,8}.ord($search[$i]).;?)/, $search[$i], $val); // with a ;
　}
　// now the only remaining whitespace attacks are 　　,
, and
　$ra1 = Array(javascript, vbscript, expression, applet, meta, xml, blink, link, style, script, embed, object, iframe, frame, frameset, ilayer, layer, bgsound, title, base);
$ra2 = Array(onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy, onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint, onbeforeunload, onbeforeupdate, onblur, onbounce, oncellchange, onchange, onclick, oncontextmenu, oncontrolselect, oncopy, oncut, ondataavailable, ondatasetchanged, ondatasetcomplete, ondblclick, ondeactivate, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, onerror, onerrorupdate, onfilterchange, onfinish, onfocus, onfocusin, onfocusout, onhelp, onkeydown, onkeypress, onkeyup, onlayoutcomplete, onload, onlosecapture, onmousedown, onmouseenter, onmouseleave, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onmove, onmoveend, onmovestart, onpaste, onpropertychange, onreadystatechange, onreset, onresize, onresizeend, onresizestart, onrowenter, onrowexit, onrowsdelete, onrowsinserted, onscroll, onselect, onselectionchange, onselectstart, onstart, onstop, onsubmit, onunload);
　$ra = array_merge($ra1, $ra2);
　$found = true; // keep replacing as long as the previous round replaced something
　while ($found == true) {
$val_before = $val;
for ($i = 0; $i ＜ sizeof($ra); $i++) {
　$pattern = /;
　for ($j = 0; $j ＜ strlen($ra[$i]); $j++) {
if ($j ＞ 0) {
　$pattern .= (;
　$pattern .= (&#[x|X]0{0,8}([9][a][b]);?)?;
　$pattern .= |(&#0{0,8}([9][10][13]);?)?;
　$pattern .= )?;
}
　$pattern .= $ra[$i][$j];
}
$pattern .= /i;
$replacement = substr($ra[$i], 0, 2).＜x＞.substr($ra[$i], 2); // add in ＜＞ to nerf the tag
$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
if ($val_before == $val) {
　// no replacements were made, so exit the loop
　$found = false;
}
　}
}
}