public function SafeFilter($arr){
if (empty($arr)) {
return false;
}
$ra=Array('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','/script/','/javascript/','/vbscript/','/expression/','/applet/','/meta/','/xml/','/blink/','/link/','/style/','/embed/','/object/','/frame/','/layer/','/title/','/bgsound/','/base/','/onload/','/onunload/','/onchange/','/onsubmit/','/onreset/','/onselect/','/onblur/','/onfocus/','/onabort/','/onkeydown/','/onkeypress/','/onkeyup/','/onclick/','/ondblclick/','/onmousedown/','/onmousemove/','/onmouseout/','/onmouseover/','/onmouseup/','/onunload/');
if (is_array($arr)){
foreach ($arr as $key => $value){
//开始时判断是否为空
$isEmpty = false;
if (!is_array($value)){
if ($value) {
$isEmpty = true;
}
$value = addslashes($value); //给单引号(')、双引号(")、反斜线(\)与 NUL(NULL 字符)加上反斜线转义
$value = preg_replace($ra,'',$value); //删除非打印字符,粗暴式过滤xss可疑字符串
$arr[$key] = htmlentities(strip_tags($value)); //去除 HTML 和 PHP 标记并转换为 HTML 实体(包括title字符串)
if (empty($arr[$key]) && $isEmpty) {
return false;
}
}else{
$this->SafeFilter($arr[$key]);
}
}
}
return $arr;
}
注意
- 使用addslashes()转义函数,展示要使用反转义函数stripslashes()
- 使用htmlentities()来转义双引号,展示要使用反转义函数html_entity_decode()
|