-1
function xap ($in, $format=false) {
   if ($format == 'html') {
      //Делаем безопасный html
   $in = preg_replace('/(<(link|script|iframe|object|applet|embed).*?>[^<]*(<\/(link|script|iframe|object|applet|embed).*?>)?)/i', '', $in); //Удаляем стили, скрипты, фреймы и flash
  $in = preg_replace('/(script:)|(expression\()/i', '\\1&nbsp;', $in); //Обезвреживаем скрипты, что остались
  $in = preg_replace('/(onblur|onchange|onclick|ondblclick|onfocus|onkeydown|onkeypress|onkeyup|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmouseup|onreset|onselect|onsubmit|onunload)=?/i', '', $in);
  $in = preg_replace('/((src|href).*?=.*?)(http:\/\/)/i', '\\1redirect/\\2', $in); 
  return $in;
} else {
  return htmlentities($in);
    }
}
echo xap($text); //for read
echo xap($text, "html"); //for read html tags

Author say that this is ideal code for protect from XSS... is it true?

Юра Настасиу
  • 1
  • 1
  • 3
    There's no such thing as "ideal code". There are tons of nasty ways to circumvent such XSS filters, including abusing little-known encodings such as UTF-7. I'd look for a publicly documented, well-known, peer-reviewed library instead of trusting a single author to provide the "ideal code". – Joachim Sauer Mar 13 '12 at 10:00

3 Answers3

0

You have forgotten onerror. => <img src="http://idontexists.neke/notexists.jpg" onerror="alert(document.cookie)" />

user2412162
  • 1
0

htmlentities() will protect you against XSS.

You code looks like you also want to allow some HTML code. You should still run htmlentities() and after this run str_replace() to allow some html tags you need.

PiTheNumber
  • 22,828
  • 17
  • 107
  • 180
0
htmlspecialchars($str, ENT_QUOTES, 'UTF-8');

Should be safe enough

http://php.net/manual/en/function.htmlspecialchars.php

Andreas Wong
  • 59,630
  • 19
  • 106
  • 123