<?
php
/* *
* 过滤在线编辑器产生的不安全html代码.
*
* PHP versions 4 and 5
*
* @copyright 版权所无,任意传播.
* @link http://www.52sunny.net
* @name html过滤
* @version v 0.0.10
* @author Lucklrj (sunny_lrj@yeah.net,qq:7691272)
* @lastmodified 2006-06-09 10:42 (Tue, 2006-06-09)
* @notice 此版本只过滤js,框架,表单。
作者能力有限,使用本程序若产生任何安全问题,与本人无关。
欢迎来信与我交流。
*/
$str = " <tr><td bgcolor='#FFFFFF'>
<div style='url(123.offsetWidth)> " ;
// $str="url(javascript:x)";
/* 不需要过滤的数组 */
$htm_on = array (
" <acronym " , " acronym> " ,
" <baseFont " , " baseFont> " ,
" <button " , " button> " ,
" <caption " , " caption> " ,
" <clientInformation " , " clientInformation> " ,
" <font " , " font> " ,
" <implementation " , " implementation> " ,
" <button " , " button> " ,
" <location " , " location> " ,
" <option " , " option> " ,
" <selection " , " selection> " ,
" <strong " , " strong> " );
$htm_on_uper = array (
" <ACRONYM " , " ACRONYM> " ,
" <BASEFONT " , " BASEFONT> " ,
" <BUTTON " , " BUTTON> " ,
" <CAPTION " , " CAPTION> " ,
" <CLIENTINFORMATION " , " CLIENTINFORMATION> " ,
" <FONT " , " FONT> " ,
" <IMPLEMENTATION " , " IMPLEMENTATION> " ,
" <BUTTON " , " BUTTON> " ,
" <LOCATION " , " LOCATION> " ,
" <OPTION " , " OPTION> " ,
" <SELECTION " , " SELECTION> " ,
" <STRONG " , " STRONG> " );
/* 字符格式 */
$str = strtolower ( $str );
$str = preg_replace ( " /s+/ " , " " , $str ); // 过滤回车
$str = preg_replace ( " / +/ " , " " , $str ); // 过滤多个空格
/* 过滤/替换几种形式的js */
$str = preg_replace ( " /<(script.*?)>(.*?)<(/script.*?)>/si " , "" , $str ); // 删除<script>。。。</script>格式,
//$str=preg_replace("/<(script.*?)>(.*?)<(/script.*?)>/si","</1>/2</3>",$str);//替换为可以显示的,
$str = preg_replace ( " /<(script.*?)>/si " , "" , $str ); // 删除<script>未封闭
//$str=preg_replace("/<(script.*?)>/si","</1>",$str);//替换未封闭
/* 删除/替换表单 */
$str = preg_replace ( " /<(/?form.*?)>/si " , "" , $str ); // 删除表单
//$str=preg_replace("/<(/?form.*?)>/si","</1>",$str);//替换表单
$str = preg_replace ( " /<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si " , "" , $str ); // 删除框架
//$str=preg_replace("/<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si","</1>/2</3>",$str);//替换框架
/* 过滤on事件 */
$str = preg_replace ( " /href=(.+?)(["|'| |>])/ie " , " 'href='.strtoupper('/1').'/2' " , $str ); // 把href=涉及到的on转换为大写。
$str = str_replace ( $htm_on , $htm_on_uper , $str ); // 把<font,font>换为大写,dhtml标签字符,正则判断太烦琐,采用转换办法。
$str = preg_replace ( " /(on[^ .<>]+?)([ |>])/s " , " /2 " , $str ); // 取掉on事件
/* 过滤超级连接的js */
$str = preg_replace ( " /(href|src|background|url|dynsrc|expression|codebase)[=:(]([ "']*?w+..*?|javascript|vbscript:[^>]*?)()?)([ >/])/si " , " /1='#' /3/4 " , $str ); // 取掉href=javascript:
//返回小写字符
$str = strtolower ( $str );
$str = str_replace ( " & " , " & " , $str );
echo $str ;
?>
/* *
* 过滤在线编辑器产生的不安全html代码.
*
* PHP versions 4 and 5
*
* @copyright 版权所无,任意传播.
* @link http://www.52sunny.net
* @name html过滤
* @version v 0.0.10
* @author Lucklrj (sunny_lrj@yeah.net,qq:7691272)
* @lastmodified 2006-06-09 10:42 (Tue, 2006-06-09)
* @notice 此版本只过滤js,框架,表单。
作者能力有限,使用本程序若产生任何安全问题,与本人无关。
欢迎来信与我交流。
*/
$str = " <tr><td bgcolor='#FFFFFF'>
<div style='url(123.offsetWidth)> " ;
// $str="url(javascript:x)";
/* 不需要过滤的数组 */
$htm_on = array (
" <acronym " , " acronym> " ,
" <baseFont " , " baseFont> " ,
" <button " , " button> " ,
" <caption " , " caption> " ,
" <clientInformation " , " clientInformation> " ,
" <font " , " font> " ,
" <implementation " , " implementation> " ,
" <button " , " button> " ,
" <location " , " location> " ,
" <option " , " option> " ,
" <selection " , " selection> " ,
" <strong " , " strong> " );
$htm_on_uper = array (
" <ACRONYM " , " ACRONYM> " ,
" <BASEFONT " , " BASEFONT> " ,
" <BUTTON " , " BUTTON> " ,
" <CAPTION " , " CAPTION> " ,
" <CLIENTINFORMATION " , " CLIENTINFORMATION> " ,
" <FONT " , " FONT> " ,
" <IMPLEMENTATION " , " IMPLEMENTATION> " ,
" <BUTTON " , " BUTTON> " ,
" <LOCATION " , " LOCATION> " ,
" <OPTION " , " OPTION> " ,
" <SELECTION " , " SELECTION> " ,
" <STRONG " , " STRONG> " );
/* 字符格式 */
$str = strtolower ( $str );
$str = preg_replace ( " /s+/ " , " " , $str ); // 过滤回车
$str = preg_replace ( " / +/ " , " " , $str ); // 过滤多个空格
/* 过滤/替换几种形式的js */
$str = preg_replace ( " /<(script.*?)>(.*?)<(/script.*?)>/si " , "" , $str ); // 删除<script>。。。</script>格式,
//$str=preg_replace("/<(script.*?)>(.*?)<(/script.*?)>/si","</1>/2</3>",$str);//替换为可以显示的,
$str = preg_replace ( " /<(script.*?)>/si " , "" , $str ); // 删除<script>未封闭
//$str=preg_replace("/<(script.*?)>/si","</1>",$str);//替换未封闭
/* 删除/替换表单 */
$str = preg_replace ( " /<(/?form.*?)>/si " , "" , $str ); // 删除表单
//$str=preg_replace("/<(/?form.*?)>/si","</1>",$str);//替换表单
$str = preg_replace ( " /<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si " , "" , $str ); // 删除框架
//$str=preg_replace("/<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si","</1>/2</3>",$str);//替换框架
/* 过滤on事件 */
$str = preg_replace ( " /href=(.+?)(["|'| |>])/ie " , " 'href='.strtoupper('/1').'/2' " , $str ); // 把href=涉及到的on转换为大写。
$str = str_replace ( $htm_on , $htm_on_uper , $str ); // 把<font,font>换为大写,dhtml标签字符,正则判断太烦琐,采用转换办法。
$str = preg_replace ( " /(on[^ .<>]+?)([ |>])/s " , " /2 " , $str ); // 取掉on事件
/* 过滤超级连接的js */
$str = preg_replace ( " /(href|src|background|url|dynsrc|expression|codebase)[=:(]([ "']*?w+..*?|javascript|vbscript:[^>]*?)()?)([ >/])/si " , " /1='#' /3/4 " , $str ); // 取掉href=javascript:
//返回小写字符
$str = strtolower ( $str );
$str = str_replace ( " & " , " & " , $str );
echo $str ;
?>