如何在不受XSS攻击的情况下允许输入HTML标记?

时间:2013-12-06 21:40:09

标签: javascript php html html5

我知道<b>标签在XSS中是无害的,但经过测试后我发现如果添加了一个onclick脚本标签就可以操作它,例如
<b onclick="alert('xss');">Hello</b>

如何在这些低级元素上阻止XSS?

3 个答案:

答案 0 :(得分:2)

最好使用正则表达式:

 <?php
$testStringA = '<b>I am a nice text without any evil characters</b>';
$testStringB = '<b onclick="alert(evil)">I am supposed to be evil. :) </b>';
$pattern = '/<b>[a-zA-z0-9 ]+<\/b>/';
if(preg_match($pattern, $testStringB)){
    // this will NOT execute
    echo "TeststringB matches our pattern";
}
if(preg_match($pattern, $testStringA)){
    echo "TeststringA matches our pattern";
}
?>

将输出

TeststringA matches our pattern

但是,上面的RegEx只允许a-z,A-Z,0-9和空格(见方括号),你需要修改它以满足你的需要。

如果您使用的是Javascript:

关于正则表达式的好处,它们在某种程度上是可移植的。我在JavaScript中重写了上述代码,以证明它对您更容易理解:

var re = new RegExp("/<b>[a-zA-z0-9 ]+<\/b>/");
var testStringA = '<b>I am a nice text without any evil characters</b>';
var testStringB = '<b onclick="alert(evil)">I am supposed to be evil. :) </b>';
if(re.test(testStringA)){
    alert(testStringA);
}
if(re.test(testStringB)){
    alert(testStringB);
}

或者看下面的小提琴:http://jsfiddle.net/3hz42/

答案 1 :(得分:0)

这个函数可能对某人有帮助,它是一个Javascript函数,可以从你的字符串中删除XSS属性。

function strip_attr(e){
var r = e.replace(/(<[^>]+) onclick=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onfocus=".*?"/i,"$1");
r = r.replace(/(<[^>]+) ondblclick=".*?"/i,"$1");
r = r.replace(/(<[^>]+) style=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmousedown=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmouseout=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmouseover=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmouseup=".*?"/i,"$1");    
r = r.replace(/(<[^>]+) onclick=.*?/i,"$1");
r = r.replace(/(<[^>]+) onfocus=.*?/i,"$1");
r = r.replace(/(<[^>]+) ondblclick=.*?/i,"$1");
r = r.replace(/(<[^>]+) style=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmousedown=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmouseout=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmouseover=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmouseup=.*?/i,"$1");
r = r.replace(/(<[^>]+) onclick='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onfocus='.*?'/i,"$1");
r = r.replace(/(<[^>]+) ondblclick='.*?'/i,"$1");
r = r.replace(/(<[^>]+) style='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmousedown='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmouseout='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmouseover='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmouseup='.*?'/i,"$1");
return r.replace(/(<[^>]+) class=".*?"/i,"$1").replace(/(<[^>]+) class='.*?'/i,"$1").replace(/(<[^>]+) class=.*?/i,"$1");
}

修改
具有增加安全性的脚本的PHP变体

function strip_attr($e){
$r = preg_replace('/(<[^>]+) onclick=".*?"/i','$1',$e);
$r = preg_replace('/(<[^>]+) onfocus=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) ondblclick=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) style=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmousedown=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseout=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseover=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseup=".*?"/i','$1',$r);

$r = preg_replace('/(<[^>]+) onclick=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onfocus=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) ondblclick=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) style=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmousedown=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseout=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseover=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseup=.*?/i','$1',$r);

$r = preg_replace("/(<[^>]+) onclick='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onfocus='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) ondblclick='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) style='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmousedown='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmouseout='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmouseover='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmouseup='.*?'/i","$1",$r);
return preg_replace("/(<[^>]+) class='.*?'/i","$1",$r);
}

答案 2 :(得分:-1)

获取输入并输入变量,例如:$output

$output = preg_replace('/(<[^>]+) onclick=".*?"/i', '$1', $input);

使用php函数strip_tags()

使用Javascript:

document.getElementsByTagName("b")[0].removeAttribute("onclick");
document.getElementsByTagName("b")[0].removeAttribute("onfocus");