Jump to content

ajuda preg_replace


triplexim32

Recommended Posts

pois bem estou a fazer um script para remover todas as tentativas de XSS (remover o javascript) numa string, e tenho isto:

//remove breaks
$message = preg_replace("/(\r\n|\n)*/", '', $message);

//remove extra spaces
$message = preg_replace('/\s\s+/', ' ', $message);

//remove "on" events <a onclick="xss" class="style1"...>
$message = preg_replace("#<(.*?)on[a-z]*(\s*)=(\s*)['|\"](\s|\d|\w)*['|\"]#Smi", '<$1', $message);

//remove coments (some browsers allow "<!-- --!>" and "<!-- -->")
$message = preg_replace("/<!--(\s|\d|\w)*(-->|--!>)/", '', $message);

/*remove <script> XSS </script>*/
$message = preg_replace("#<script(.*)>(.*)</script(.*)>#Smi", '', $message);

//remove href="javascript:XSS"
$message = preg_replace("#href(\s*)=(\s*)['|\"](\s*)javascript(\s*)\d|\w|\s)*['|\"]#Smi", '', $message);

return $message;

so que estou a ter sérios problemas nesta parte:

$message = preg_replace("#<(.*?)on[a-z]*(\s*)=(\s*)['|\"](\s|\d|\w)*['|\"]#Smi", '<$1', $message);

(a ideia disto é remover todos os eventos ON<qualquerCoisa>, do genero:

< onclick    =  " XSS " (e manter tudo o que esta para a frente igual

Se eu meter isto

echo html("<a5555wrwe href=\"asasd\"          OnuClick      =\"  /  xss \" class=\"sdfsd\">sdfsdf</a>");

Devido aquela "\" jã nao me vai fazer a substituição.

Ja tentei "(...) ['|\"](.*)['|\"] (...)" mas isto esta-me a comer o resto das linhas.

Alguma ajuda?

<

Link to comment
Share on other sites

Não percebi a dúvida, mas olha que as barras sao apenas para 'escapar' as aspas, não fazem parte da string.

tas a falar disto:

$message = preg_replace("/<!--(\s|\d|\w)*(-->|--!>)/", '', $message);

Eu aqui:

$message = preg_replace("#<(.*?)on[a-z]*(\s*)=(\s*)['|\"](\s|\d|\w)*['|\"]#Smi", '<$1', $message);

Queria remover todos os eventos ON das tags de HTML

<

Link to comment
Share on other sites

Encontrei isto na net:

function CF_strip_tags($text){ 
$allowedTags=	 "<a><b><i><em>
"; 
$evilAttributes= "onclick|ondblclick|onmouseover|onmouseout|onmousedown|onmouseup|". 
"onkeypress|onkeydown|onkeyup|". 
"onload|onchange|onfocus|onblur|". 
"style|width|height"; 

$pattern=array(); 
$quoteSymbols=	 array("'",'"'); 
foreach($quoteSymbols as $qS){ 
$pattern[] = "/href\s*?=\s*?".$qS."\s*(javascript).*?".$qS."/si"; 
$pattern[] = "/(".$evilAttributes.")\s*?=\s*?".$qS.".*?".$qS."/si"; 
} 
return preg_replace($pattern,"",strip_tags($text,$allowedTags)); 
}
Link to comment
Share on other sites

Encontrei isto na net:

function CF_strip_tags($text){ 
$allowedTags=	 "<a><b><i><em>
"; 
$evilAttributes= "onclick|ondblclick|onmouseover|onmouseout|onmousedown|onmouseup|". 
"onkeypress|onkeydown|onkeyup|". 
"onload|onchange|onfocus|onblur|". 
"style|width|height"; 

$pattern=array(); 
$quoteSymbols=	 array("'",'"'); 
foreach($quoteSymbols as $qS){ 
$pattern[] = "/href\s*?=\s*?".$qS."\s*(javascript).*?".$qS."/si"; 
$pattern[] = "/(".$evilAttributes.")\s*?=\s*?".$qS.".*?".$qS."/si"; 
} 
return preg_replace($pattern,"",strip_tags($text,$allowedTags)); 
}

Ja adaptei e penso que funciona e faz todo o que eu quero 🙂

Muito obrigado pela ajuda  👍

<

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site you accept our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.