过滤在线编辑器产生的不安全html代码.

<? php
/* *
*过滤在线编辑器产生的不安全html代码.
*
*PHPversions4and5
*
*@copyright版权所无,任意传播.
*@linkhttp://www.52sunny.net
*@namehtml过滤
*@versionv0.0.10
*@authorLucklrj([email protected],qq:7691272)
*@lastmodified2006-06-0910:42(Tue,2006-06-09)
*@notice此版本只过滤js,框架,表单。
作者能力有限,使用本程序若产生任何安全问题,与本人无关。
欢迎来信与我交流。
*/
$str = " <tr><tdbgcolor='#FFFFFF'>
<divstyle='url(123.offsetWidth)>
" ;
// $str="url(javascript:x)";

/* 不需要过滤的数组 */
$htm_on = array (
" <acronym " , " acronym> " ,
" <baseFont " , " baseFont> " ,
" <button " , " button> " ,
" <caption " , " caption> " ,
" <clientInformation " , " clientInformation> " ,
" <font " , " font> " ,
" <implementation " , " implementation> " ,
" <button " , " button> " ,
" <location " , " location> " ,
" <option " , " option> " ,
" <selection " , " selection> " ,
" <strong " , " strong> " );

$htm_on_uper = array (
" <ACRONYM " , " ACRONYM> " ,
" <BASEFONT " , " BASEFONT> " ,
" <BUTTON " , " BUTTON> " ,
" <CAPTION " , " CAPTION> " ,
" <CLIENTINFORMATION " , " CLIENTINFORMATION> " ,
" <FONT " , " FONT> " ,
" <IMPLEMENTATION " , " IMPLEMENTATION> " ,
" <BUTTON " , " BUTTON> " ,
" <LOCATION " , " LOCATION> " ,
" <OPTION " , " OPTION> " ,
" <SELECTION " , " SELECTION> " ,
" <STRONG " , " STRONG> " );

/* 字符格式 */
$str = strtolower ( $str );
$str = preg_replace ( " /s+/ " , " " , $str ); // 过滤回车
$str = preg_replace ( " /+/ " , " " , $str ); // 过滤多个空格

/* 过滤/替换几种形式的js */
$str = preg_replace ( " /<(script.*?)>(.*?)<(/script.*?)>/si " , "" , $str ); // 删除<script>。。。</script>格式,
//$str=preg_replace("/<(script.*?)>(.*?)<(/script.*?)>/si","&lt;/1&gt;/2&lt;/3&gt;",$str);//替换为可以显示的,


$str = preg_replace ( " /<(script.*?)>/si " , "" , $str ); // 删除<script>未封闭
//$str=preg_replace("/<(script.*?)>/si","&lt;/1&gt;",$str);//替换未封闭


/* 删除/替换表单 */
$str = preg_replace ( " /<(/?form.*?)>/si " , "" , $str ); // 删除表单
//$str=preg_replace("/<(/?form.*?)>/si","&lt;/1&gt;",$str);//替换表单


$str = preg_replace ( " /<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si " , "" , $str ); // 删除框架
//$str=preg_replace("/<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si","&lt;/1&gt;/2&lt;/3&gt;",$str);//替换框架


/* 过滤on事件 */
$str = preg_replace ( " /href=(.+?)(["|'||>])/ie " , " 'href='.strtoupper('/1').'/2' " , $str ); // 把href=涉及到的on转换为大写。
$str = str_replace ( $htm_on , $htm_on_uper , $str ); // 把<font,font>换为大写,dhtml标签字符,正则判断太烦琐,采用转换办法。
$str = preg_replace ( " /(on[^.<>]+?)([|>])/s " , " /2 " , $str ); // 取掉on事件

/* 过滤超级连接的js */
$str = preg_replace ( " /(href|src|background|url|dynsrc|expression|codebase)[=:(](["']*?w+..*?|javascript|vbscript:[^>]*?)()?)([>/])/si " , " /1='#'/3/4 " , $str ); // 取掉href=javascript:

//返回小写字符

$str = strtolower ( $str );
$str = str_replace ( " & " , " &#x26; " , $str );
echo $str ;
?>

你可能感兴趣的:(html)