كود PHP:
function CleanXSS($str){
// One of the easiest way to do XSS is to use one of the on* attributes, like onclick or onload.
// With this you can easily execute a script, without the user even having to do something (with onload, etc)
// or just having to click or hover over something. We just remove them all with
$str = preg_replace('#(<[^>]+[\s\r\n\"\'])(on|xmlns)[^>]*>#iU',"$1>",$str);
// As you certainly know, can you use javascript: and vbscript: as protocol handlers instead of http:// and others.
// Something like <a href="javascript:alert('foobar')">lll</a> executes just nicely if a user clicks on it.
// We of course remove that as well. IE as also the strange behaviour that something like "java script :" is also valid,
// so we have to check for a whitespace between every character.
$str = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([\`\'\"]*)[\\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iU','$1=$2nojavascript...',$str);
$str = preg_replace('#([a-z]*)[\x00-\x20]*=([\'\"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iU','$1=$2novbscript...',$str);
// We removed all namespace declarations above, here we remove all elements, which have a prefix, they are not needed in HTML..
$str = preg_replace('#</*\w+:\w[^>]*>#i','',$str);
// There are quite some elements in HTML, which you definitively don't want in something like user comments.
// The reason for the while loop is, that stuff like
// <sc<script>ript>alert('hello')</sc</script>ript>
// We remove them with:
do {
$oldstr = $str;
$str = preg_replace('#</*(\?xml|applet|meta|xml|blink|link|style|script|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$str);
} while ($oldstr != $str);
return $str;
}
$text='""<img src="iii.pic" alt="gfgfgfgfgfgfgfgfgfgfgfgfgfgfg" onclick="alert(1);" />';
$text=CleanXSS($text);
$text = strip_tags($text,'<font>,<b>,<title>,<i>,<u>,<p>,</p>,</font>,</b>,<hl>,<ul>,<li>,<ol>,</li>,</ol>,<a>,<img>,<hr />,<br>,<br />,<sub>,<span>,</span>,<h2>,<h3>,<h4>,<h5>,<h6>,<pref>,</pref>,<address>,<hr>');
echo $text;
مثال توضيحي : ............................