{"id":348,"date":"2014-07-03T09:06:12","date_gmt":"2014-07-03T09:06:12","guid":{"rendered":"http:\/\/ixyzero.com\/blog\/?p=348"},"modified":"2014-07-03T09:06:12","modified_gmt":"2014-07-03T09:06:12","slug":"collect%e8%bf%87%e6%bb%a4xss%e6%94%bb%e5%87%bb%e7%9a%84php%e5%87%bd%e6%95%b0","status":"publish","type":"post","link":"https:\/\/ixyzero.com\/blog\/archives\/348.html","title":{"rendered":"[collect]\u8fc7\u6ee4XSS\u653b\u51fb\u7684PHP\u51fd\u6570"},"content":{"rendered":"

\u4ece http:\/\/www.nowamagic.net\/librarys\/veda\/detail\/2353<\/a>\u00a0\u8f6c\u8f7d\u6536\u96c6\u800c\u6765\u7684\u529f\u80fd\u51fd\u6570\uff0c\u4ee3\u7801\u786e\u5b9e\u5f88\u597d\uff0c\u8f6c\u8fc7\u6765\u4e00\u65b9\u9762\u662f\u5b66\u4e60\uff0c\u53e6\u4e00\u65b9\u9762\u505a\u4e2a\u5907\u4efd\uff1a<\/p>\n

<?php\nfunction RemoveXSS($val) {\n\t\/\/ remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed\n\t\/\/ this prevents some character re-spacing such as <java\u0000script>\n\t\/\/ note that you have to handle splits with n, r, and t later since they *are* allowed in some inputs\n\t$val = preg_replace('\/([x00-x08,x0b-x0c,x0e-x19])\/', '', $val);\n\n\t\/\/ straight replacements, the user should never need these since they're normal characters\n\t\/\/ this prevents like <IMG SRC=@avascript:alert('XSS')>\n\t$search = 'abcdefghijklmnopqrstuvwxyz';\n\t$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';\n\t$search .= '1234567890!@#$%^&*()';\n\t$search .= '~`\";:?+\/={}[]-_|'\\';\n\tfor ($i = 0; $i < strlen($search); $i++) {\n\t\t\/\/ ;? matches the ;, which is optional\n\t\t\/\/ 0{0,7} matches any padded zeros, which are optional and go up to 8 chars\n\n\t\t\/\/ @ @ search for the hex values\n\t\t$val = preg_replace('\/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)\/i', $search[$i], $val); \/\/ with a ;\n\t\t\/\/ @ @ 0{0,7} matches '0' zero to seven times\n\t\t$val = preg_replace('\/(&#0{0,8}'.ord($search[$i]).';?)\/', $search[$i], $val); \/\/ with a ;\n\t}\n\n\t\/\/ now the only remaining whitespace attacks are t, n, and r\n\t$ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');\n\t$ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');\n\t$ra = array_merge($ra1, $ra2);\n\n\t$found = true; \/\/ keep replacing as long as the previous round replaced something\n\twhile ($found == true) {\n\t\t$val_before = $val;\n\t\tfor ($i = 0; $i < sizeof($ra); $i++) {\n\t\t\t$pattern = '\/';\n\t\t\tfor ($j = 0; $j < strlen($ra[$i]); $j++) {\n\t\t\t\tif ($j > 0) {\n\t\t\t\t\t$pattern .= '(';\n\t\t\t\t\t$pattern .= '(&#[xX]0{0,8}([9ab]);)';\n\t\t\t\t\t$pattern .= '|';\n\t\t\t\t\t$pattern .= '|(&#0{0,8}([9|10|13]);)';\n\t\t\t\t\t$pattern .= ')*';\n\t\t\t\t}\n\t\t\t\t$pattern .= $ra[$i][$j];\n\t\t\t}\n\t\t\t$pattern .= '\/i';\n\t\t\t$replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); \/\/ add in <> to nerf the tag\n\t\t\t$val = preg_replace($pattern, $replacement, $val); \/\/ filter out the hex tags\n\t\t\tif ($val_before == $val) {\n\t\t\t\t\/\/ no replacements were made, so exit the loop\n\t\t\t\t$found = false;\n\t\t\t}\n\t\t}\n\t}\n\treturn $val;\n}\n?><\/pre>\n
\u4ece\u4ee3\u7801\u4e2d\u4e5f\u53ef\u4ee5\u770b\u51fa\uff0c\u8fd9\u91cc\u8fc7\u6ee4\u7684\u6838\u5fc3\u65b9\u6cd5\u5c31\u662fpreg_replace()\u7684\u6b63\u5219\u66ff\u6362\uff0c\u6240\u4ee5\uff0c\u8fc7\u6ee4\u6548\u679c\u7684\u597d\u574f\u4e5f\u5728\u4e8e\u6b63\u5219\u8868\u8fbe\u5f0f\u7684\u8d28\u91cf\u9ad8\u4f4e\u4e86\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4ece http:\/\/www.nowamagic.net\/librarys\/veda\/detail\/2353\u00a0\u8f6c\u8f7d […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,25,12],"tags":[167,168,48,169],"class_list":["post-348","post","type-post","status-publish","format-standard","hentry","category-programing","category-security","category-tools","tag-dechex","tag-ord","tag-php","tag-preg_replace"],"views":2416,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/348","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=348"}],"version-history":[{"count":0,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/348\/revisions"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=348"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=348"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}