How does PHP prevent XSS attacks

PHP prevents XSS cross-site scripting attacks by using the htmlspecialchars() function for illegal HTML code such as single and double quotes.

Notice the second argument when using htmlspecialchars(). If you use htmlspecialchars($string), the second argument is ENT_COMPAT by default. By default, the function only converts double quotes (“) and does not escape single quotes (‘).

So htmlspecialchars more often takes a second argument, which should be: htmlspecialchars(string,ENTQUOTES). Of course, if you want to convert no quotes, htmlspecialchars(string,ENT_QUOTES) is used. Of course, if you need to convert no quotes, htmlspecialchars(string,ENTQUOTES) is used. Of course, if you want to convert no quotes, htmlspecialchars(string,ENT_NOQUOTES) is used.

In addition, use htmlentities as little as possible. Htmlentities and HTMLspecialchars are the same in all English. However, in the case of Chinese, HTMLentities will convert all HTML code, as well as any Chinese characters it can’t recognize.

Htmlentities and htmlspecialchars don’t work well with strings like ‘, so htmlentities and htmlSpecialchars only prevent XSS attacks, not SQL injection attacks.

Htmlentities () should be used before printing statements such as echo and print to prevent Xss. Htmlentities ($name,ENT_NOQUOTES,GB2312) should be written.

(1). The page keeps refreshing.

In addition to the normal way to input XSS attack characters, but also bypass JavaScript verification, through the modification of the request to achieve the purpose of XSS attack.

<? $_GET && SafeFilter($_GET); $_POST && SafeFilter($_POST); $_COOKIE && SafeFilter($_COOKIE); function SafeFilter (&$arr) { $ra=Array('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','/script/','/javascript/','/vbscript/','/expression/','/applet/' ,'/meta/','/xml/','/blink/','/link/','/style/','/embed/','/object/','/frame/','/layer/','/title/','/bgsound/' ,'/base/','/onload/','/onunload/','/onchange/','/onsubmit/','/onreset/','/onselect/','/onblur/','/onfocus/', '/onabort/','/onkeydown/','/onkeypress/','/onkeyup/','/onclick/','/ondblclick/','/onmousedown/','/onmousemove/' ,'/onmouseout/','/onmouseover/','/onmouseup/','/onunload/'); if (is_array($arr)) { foreach ($arr as $key => $value) { if (! is_array($value)) { if (! Get_magic_quotes_gpc ()) // Do not use addslashes() for characters escaped by magic_quotes_gpc to avoid double escapes. { $value = addslashes($value); $value = preg_replace($ra, ",$value); $ra = preg_replace($ra, ",$value); $arr[$key] = htmlentities(strip_tags($value)); } else {SafeFilter($arr[$key]); }}}}? > $str = 'www.90boke.com<meta http-equiv="refresh" content="0;" > '; SafeFilter ($str); // If you comment this out, echo $STR will be refreshed endlessly after submission;Copy the code

/ / -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- the PHP anti injection and XSS attacks general filter -- -- -- -- -- Start -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- / / function string_remove_xss($html) { preg_match_all("/\<([^\<]+)\>/is", $html, $ms); $searchs[] = '<'; $replaces[] = '&lt; '; $searchs[] = '>'; $replaces[] = '&gt; '; if ($ms[1]) { $allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote'; $ms[1] = array_unique($ms[1]); foreach ($ms[1] as $value) { $searchs[] = "&lt;" .$value."&gt;" ; $value = str_replace('&amp; ', '_uch_tmp_str_', $value); $value = string_htmlspecialchars($value); $value = str_replace('_uch_tmp_str_', '&amp; ', $value); $value = str_replace(array('\\', '/*'), array('.', '/.'), $value); $skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedea ctivate', 'onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange' ,'onchange', 'onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','o ndblclick', 'ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorup date', 'onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomp lete', 'onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup ','onmousewheel', 'onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend', 'onresizestart', 'onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onst art','onstop', 'onsubmit','onunload','javascript','script','eval','behaviour','expression','style','class'); $skipstr = implode('|', $skipkeys); $value = preg_replace(array("/($skipstr)/i"), '.', $value); if (! preg_match("/^[\/|\s]? ($allowtags)(\s+|$)/is", $value)) { $value = ''; } $replaces[] = empty($value) ? '' : "<" . str_replace('&quot; ', '"', $value) . ">"; } } $html = str_replace($searchs, $replaces, $html); return $html; } // function string_htmlspecialchars($string, $flags = null) { if (is_array($string)) { foreach ($string as $key => $val) { $string[$key] = string_htmlspecialchars($val, $flags); } } else { if ($flags === null) { $string = str_replace(array('&', '"', '<', '>'), array('&amp; ', '&quot; ', '&lt; ', '&gt; '), $string); if (strpos($string, '&amp; # ')! == false) { $string = preg_replace('/&amp; # (((\ d {3, 5} | x [a - fA - F0-9] {4}))) /', '&\\1', $string); }} else {if (PHP_VERSION < '5.4.0') {$string = htmlspecialchars($string, $flags); } else { if (! defined('CHARSET') || (strtolower(CHARSET) == 'utf-8')) { $charset = 'UTF-8'; } else { $charset = 'ISO-8859-1'; } $string = htmlspecialchars($string, $flags, $charset); } } } return $string; } / / -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- the PHP anti injection and XSS attacks general filter -- -- -- -- -- End -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- / /Copy the code

Settings in PHP

PHP5.2 and above supports the HttpOnly parameter, as well as global HttpOnly Settings in php.ini

----------------------------------------------------- 
 session.cookie_httponly = 
-----------------------------------------------------
Copy the code

Set it to 1 or TRUE to enable the global Cookie HttpOnly attribute, as well as enable it in code:

<? php ini_set("session.cookie_httponly", 1); // or session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ? >Copy the code

The setcookie and setrawcookie functions also add a 7th parameter to the HttpOnly option.

<? php setcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE); setrawcookie("abc", "test", NULL, NULL, NULL, NULL, TRUE); ? >Copy the code

Related Posts

🎉 FastAop V1.0.1 is released

“Generics Decipher” 1-1

To do a good job, you must first sharpen your tools