对于使用富文本编辑器,提交数据后,样式被过滤的问题
对于使用富文本编辑器,提交数据后,样式也被过滤掉的问题,我继承了安全类做了相应调整。。大家看看还有哪里需要补充的。。
class APP_Security extends CI_Security {
protected $_never_allowed_str = array(
'expression' => '',//添加对expression的过滤
'XSS:' => '',/添加对XSS的过滤
'document.cookie' => '',
'document.write' => '',
'.parentNode' => '',
'.innerHTML' => '',
'window.location' => '',
'-moz-binding' => '',
'<!--' => '<!--',
'-->' => '-->',
'<![CDATA[' => '<![CDATA[',
'<comment>' => '<comment>'
);
protected function _remove_evil_attributes($str, $is_image)
{
// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
$evil_attributes = array('on\w*', 'xmlns', 'formaction');//去掉对style的过滤
if ($is_image === TRUE)
{
/*
* Adobe Photoshop puts XML metadata into JFIF images,
* including namespacing, so we have to allow this for images.
*/
unset($evil_attributes);
}
do {
$count = 0;
$attribs = array();
// find occurrences of illegal attribute strings without quotes
preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
foreach ($matches as $attr)
{
$attribs[] = preg_quote($attr, '/');
}
// find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
preg_match_all("/(".implode('|', $evil_attributes).")\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is",$str, $matches, PREG_SET_ORDER);
foreach ($matches as $attr)
{
$attribs[] = preg_quote($attr, '/');
}
// replace illegal attribute strings that are inside an html tag
if (count($attribs) > 0)
{
$str = preg_replace("/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(".implode('|', $attribs).")(.*?)([\s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1, $count);
}
} while ($count);
return $str;
}
style不能完全过滤掉的。css如果写表达式,一样能实现xss了。网上有开源的代码,可以去看看。应该算是比较安全了,不过会牺牲一些效率。没办法的事了。。
页:
[1]