一个过滤html不安全代码的函数
[php]
<?php
$str="<object onasd='asd'>";
/*过滤危险词语则*/
function del_html($str){
//过滤多余回车
$str=preg_replace("/\s+/", " ", $str);
//过滤<script>….
$str=preg_replace("/<(script.*?)>(.*?)<(\/script.*?)>/si","<\\1>\\2<\\3>",$str);
$str=preg_replace("/<(script.*?)>/si","<\\1>",$str);
//过滤表单
$str=preg_replace("/<(\/?form.*?)>/si","",$str);
//过滤object
$str=preg_replace("/<(\/?objec.*?)>/si","",$str);
//过滤框架
$str=preg_replace("/<(i?frame.*?)>(.*?)<(\/i?frame.*?)>/si","<\\1>\\2<\\3>",$str);
//过滤on触发事件(非表格标签,格式为<xxx>xxx</xxx>)
$str=preg_replace("/<([^tr|^td|^table|^tbody])([^>]*?on.+?=[^>|^<]*?)>(.*?)<\/(\\1[^>]*?)>/si","<\\1\\2>\\3<\\4>",$str);
//过滤on触发事件(非表格标签,格式为<xxx />)
$str=preg_replace("/<([^tr|^td|^table|^tbody])([^>]*?on.+?=[^>|^<]*?) ?\/?>/si","<\\1\\2>",$str);
//过滤on触发事件(表格标签)
$str=preg_replace("/<([tr|td|tbody|table][^>]*)on([^>]*?)>/si","<\\1 0n\\2>",$str);
return($str);
}
echo del_html($str);
?>
[/php]
function badHtml($string)
{
$string =preg_replace("!<([/]?)(html|head|meta|form|frameset|iframe|applet|object)([^>]+)?>!si","",$string);
$string =preg_replace("!<style([^>]+)?>.+?<\/style>!si","",$string);
$string =preg_replace("!<([/]?)(style)([^>]+)?>!si","",$string);
$string =preg_replace("!<link.+?>.+?!is","",$string);
$string =preg_replace("!<script([^>]+)?>.+?<\/script>!si"," ",$string);
$string =preg_replace("!<([/]?)(script)([^>]+)?>!si"," ",$string);
$string =preg_replace("!javascript!i","javascript",$string);
$string =preg_replace("!<title([^>]+)?>.+?<\/title>!si","",$string);
$string =preg_replace("!<([/]?)(title)([^>]+)?>!si","",$string);
$string =preg_replace("!(about|file):!i","$1:",$string);
$string =preg_replace("!document\.cookie!i","documents.cookie",$string);
$string =preg_replace("! on([a-z]+)([ ]*)=!is"," on$1$2=",$string);
return $string;
}
]]>
