我有一个安全功能,它是脚本的一部分。它应该过滤掉在输入表单中执行的恶意代码。它可以正常处理来自 AZ 的普通字符,但它会拒绝带有 á、ñ、ö 等字符的输入。
我该怎么做才能不拒绝带有这些字符的表单输入?这是功能:
function add_special_chars($string, $no_quotes = FALSE)
{
$patterns = array(
"/(?i)javascript:.+>/",
"/(?i)vbscript:.+>/",
"/(?i)<img.+onload.+>/",
"/(?i)<body.+onload.+>/",
"/(?i)<layer.+src.+>/",
"/(?i)<meta.+>/",
"/(?i)<style.+import.+>/",
"/(?i)<style.+url.+>/"
);
$string = str_ireplace("&","&",$string);
if (!$no_quotes) $string = str_ireplace("'","'",$string);
$string = str_ireplace('"','"',$string);
$string = str_ireplace('<','<',$string);
$string = str_ireplace('>','>',$string);
$string = str_ireplace(' ',' ',$string);
foreach ($patterns as $pattern)
{
if(preg_match($pattern, $string))
{
$string = strip_tags($string);
}
}
$string = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u', "$1;", $string);
$string = preg_replace('#(&\#x*)([0-9A-F]+);*#iu', "$1$2;", $string);
$string = html_entity_decode($string, ENT_COMPAT, LANG_CODEPAGE);
$string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])(on|xmlns)[^>]*>#iUu', "$1>", $string);
$string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu', '$1=$2nojavascript...', $string);
$string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iUu', '$1=$2novbscript...', $string);
$string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*-moz-binding[\x00-\x20]*:#Uu', '$1=$2nomozbinding...', $string);
$string = preg_replace('#([a-z]*)[\x00-\x20\/]*=[\x00-\x20\/]*([\`\'\"]*)[\x00-\x20\/]*data[\x00-\x20]*:#Uu', '$1=$2nodata...', $string);
$string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])style[^>]*>#iUu', "$1>", $string);
$string = preg_replace('#</*\w+:\w[^>]*>#i', "", $string);
do
{
$original_string = $string;
$string = preg_replace('#</*(applet|meta|xml|blink|link|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $string);
}
while ($original_string != $string);
return $string;
}
更新:我发现以下行似乎导致了问题,但不知道为什么:
$string = preg_replace('#(<[^>]+[\x00-\x20\"\'\/])style[^>]*>#iUu', "$1>", $string);