Xss 处理
预防xss,页面中不同区域的字串应该使用不同的手段来处理,而不是一概的htmlspecialchars,简单+实用。
<?php
/**
* Xss 处理
*
* 作者: 刘卫锋 (kevonliu@tencent.com)
* 创建时间: 2013-07-04
*
* $Id: Xss.php 48518 2013-07-05 03:35:04Z kevonliu $
*/
class Xss {
/**
* 处理链接字串
*
* @param string $str
* @return string
*/
public static function link($str) {
$pairs = array(
'\'' => '%27',
'"' => '%22',
'<' => '%3C',
'>' => '%3E',
);
return strtr($str, $pairs);
}
/**
* 处理js中的字串
*
* @param string $str
* @return string
*/
public static function js($str) {
// See ECMA 262 section 7.8.4 for string literal format
$pairs = array(
// "\\" => "\\\\",
// "\"" => "\\\"",
// '\'' => '\\\'',
'\"' => '\\x22',
'\'' => '\\x39',
'\\' => '\\x92',
# To avoid closing the element or CDATA section
'<' => '\\x3c',
'>' => '\\x3e',
# To avoid any complaints about bad entity refs
'&' => '\\x26',
# Work around https://bugzilla.mozilla.org/show_bug.cgi?id=274152
# Encode certain Unicode formatting chars so affected
# versions of Gecko don't misinterpret our strings;
# this is a common problem with Farsi text.
"\xe2\x80\x8c" => "\\u200c", // ZERO WIDTH NON-JOINER
"\xe2\x80\x8d" => "\\u200d", // ZERO WIDTH JOINER
);
return strtr($str, $pairs);
}
/**
* 处理html中的字串
*
* @param string $str
* @return string
*/
public static function html($str) {
$pairs = array(
'"' => '"',
'\'' => ''',
'&' => '&',
'>' => '>',
'<' => '<',
);
return strtr($str, $pairs);
}
}
?>
以上是php版本的代码,其他语言均类似。
欢迎指正,共同进步~~ 