我的网站有问题,许多黑客来找我,窃取会员cookie并重定向到他们的网站。我搜索了一下,发现了一个阻止xss利用的脚本,但我是php的新手,不知道如何使用它。我尝试使用include和php文件的名称。此脚本:
/*
* XSS filter
*
* This was built from numerous sources
* (thanks all, sorry I didn't track to credit you)
*
* It was tested against *most* exploits here: http://ha.ckers.org/xss.html
* WARNING: Some weren't tested!!!
* Those include the Actionscript and SSI samples, or any newer than Jan 2011
*
*
* TO-DO: compare to SymphonyCMS filter:
* https://github.com/symphonycms/xssfilter/blob/master/extension.driver.php
* (Symphony's is probably faster than my hack)
*/
function xss_clean($data)
{
// Fix &entity'n;
$data = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $data);
$data = preg_replace('/(&#*'w+)['x00-'x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?['x00-'x20"''])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)['x00-'x20]*=['x00-'x20]*([`''"]*)['x00-'x20]*j['x00-'x20]*a['x00-'x20]*v['x00-'x20]*a['x00-'x20]*s['x00-'x20]*c['x00-'x20]*r['x00-'x20]*i['x00-'x20]*p['x00-'x20]*t['x00-'x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)['x00-'x20]*=([''"]*)['x00-'x20]*v['x00-'x20]*b['x00-'x20]*s['x00-'x20]*c['x00-'x20]*r['x00-'x20]*i['x00-'x20]*p['x00-'x20]*t['x00-'x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)['x00-'x20]*=([''"]*)['x00-'x20]*-moz-binding['x00-'x20]*:#u', '$1=$2nomozbinding...', $data);
// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style['x00-'x20]*=['x00-'x20]*[`''"]*.*?expression['x00-'x20]*'([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style['x00-'x20]*=['x00-'x20]*[`''"]*.*?behaviour['x00-'x20]*'([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style['x00-'x20]*=['x00-'x20]*[`''"]*.*?s['x00-'x20]*c['x00-'x20]*r['x00-'x20]*i['x00-'x20]*p['x00-'x20]*t['x00-'x20]*:*[^>]*+>#iu', '$1>', $data);
// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*'w+:'w[^>]*+>#i', '', $data);
do
{
// Remove really unwanted tags
$old_data = $data;
$data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);
// we are done...
return $data;
}
如何使用它?请解释一下放在哪里?
您需要包含此文件,然后无论在哪里从客户端读取任何内容(或者更准确地说:在哪里输出客户端的输入),都需要用xss_clean($_GET['something'])
替换$_GET['something']
,用xss_clean($_POST['sth'])
替换$_POST['sth']