CI框架安全类Security.php源码分析
CI安全类提供了全局防御CSRF攻击和XSS攻击策略,只需要在配置文件开启即可:
http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">Google</a>
*
* Note: Use rawurldecode() so it does not remove plus signs
*
*/
$str = rawurldecode($str);
/*
* Convert character entities to ASCII
*
* This permits our tests below to work reliably.
* We only convert entities that are within tags since
* these are the ones that will pose security problems.
*
*/
$str = preg_replace_callback(\"/[a-z]+=([\\\'\\\"]).*?\\\\1/si\", array($this, \'_convert_attribute\'), $str);
$str = preg_replace_callback(\"/<\\w+.*?(?=>|<|$)/si\", array($this, \'_decode_entity\'), $str);
/*
* Remove Invisible Characters Again!
*/
$str = remove_invisible_characters($str);
/*
* Convert all tabs to spaces
*
* This prevents strings like this: ja vascript
* NOTE: we deal with spaces between characters later.
* NOTE: preg_replace was found to be amazingly slow here on
* large blocks of data, so we use str_replace.
*/
if (strpos($str, \"\\t\") !== FALSE)
{
$str = str_replace(\"\\t\", \' \', $str);
}
/*
* Capture converted string for later comparison
*/
$converted_string = $str;
// Remove Strings that are never allowed
$str = $this->_do_never_allowed($str);
/*
* Makes PHP tags safe
*
* Note: XML tags are inadvertently replaced too:
*
* <?xml
*
* But it doesn\'t seem to pose a problem.
*/
if ($is_image === TRUE)
{
// Images have a tendency to have the PHP short opening and
// closing tags every so often so we skip those and only
// do the long opening tags.
$str = preg_replace(\'/<\\?(php)/i\', \"<?\\\\1\", $str);
}
else
{
$str = str_replace(array(\'<?\', \'?\'.\'>\'), array(\'<?\', \'?>\'), $str);
}
/*
* Compact any exploded words
*
* This corrects words like: j a v a s c r i p t
* These words are compacted back to their correct state.
*/
$words = array(
\'javascript\', \'expression\', \'vbscript\', \'script\', \'base64\',
\'applet\', \'alert\', \'document\', \'write\', \'cookie\', \'window\'
);
foreach ($words as $word)
{
$temp = \'\';
for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)
{
$temp .= substr($word, $i, 1).\"\\s*\";
}
// We only want to do this when it is followed by a non-word character
// That way valid stuff like \"dealer to\" does not become \"dealerto\"
$str = preg_replace_callback(\'#(\'.substr($temp, 0, -3).\')(\\W)#is\', array($this, \'_compact_exploded_words\'), $str);
}
/*
* Remove disallowed Javascript in links or img tags
* We used to do some version comparisons and use of stripos for PHP5,
* but it is dog slow compared to these simplified non-capturing
* preg_match(), especially if the pattern exists in the string
*/
do
{
$original = $str;
if (preg_match(\"/<a/i\", $str))
{
$str = preg_replace_callback(\"#<a\\s+([^>]*?)(>|$)#si\", array($this, \'_js_link_removal\'), $str);
}
if (preg_match(\"/<img/i\", $str))
{
$str = preg_replace_callback(\"#<img\\s+([^>]*?)(\\s?/?>|$)#si\", array($this, \'_js_img_removal\'), $str);
}
if (preg_match(\"/script/i\", $str) OR preg_match(\"/xss/i\", $str))
{
$str = preg_replace(\"#<(/*)(script|xss)(.*?)\\>#si\", \'[removed]\', $str);
}
}
while($original != $str);
unset($original);
// Remove evil attributes such as style, onclick and xmlns
$str = $this->_remove_evil_attributes($str, $is_image);
/*
* Sanitize naughty HTML elements
*
* If a tag containing any of the words in the list
* below is found, the tag gets converted to entities.
*
* So this: <blink>
* Becomes: <blink>
*/
$naughty = \'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss\';
$str = preg_replace_callback(\'#<(/*\\s*)(\'.$naughty.\')([^><]*)([><]*)#is\', array($this, \'_sanitize_naughty_html\'), $str);
/*
* Sanitize naughty scripting elements
*
* Similar to above, only instead of looking for
* tags it looks for PHP and JavaScript commands
* that are disallowed. Rather than removing the
* code, it simply converts the parenthesis to entities
* rendering the code un-executable.
*
* For example: eval(\'some code\')
* Becomes: eval(\'some code\')
*/
$str = preg_replace(\'#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\\s*)\\((.*?)\\)#si\', \"\\\\1\\\\2(\\\\3)\", $str);
// Final clean up
// This adds a bit of extra precaution in case
// something got through the above filters
$str = $this->_do_never_allowed($str);
/*
* Images are Handled in a Special Way
* - Essentially, we want to know that after all of the character
* conversion is done whether any unwanted, likely XSS, code was found.
* If not, we return TRUE, as the image is clean.
* However, if the string post-conversion does not matched the
* string post-removal of XSS, then it fails, as there was unwanted XSS
* code found and removed/changed during processing.
*/
if ($is_image === TRUE)
{
return ($str == $converted_string) ? TRUE: FALSE;
}
log_message(\'debug\', \"XSS Filtering completed\");
return $str;
}
// --------------------------------------------------------------------
//保护url的随机hash值
public function xss_hash()
{
if ($this->_xss_hash == \'\')
{
mt_srand();
$this->_xss_hash = md5(time() + mt_rand(0, 1999999999));
}
return $this->_xss_hash;
}
// --------------------------------------------------------------------
/**
* html实体转码
*/
public function entity_decode($str, $charset=\'UTF-8\')
{
if (stristr($str, \'&\') === FALSE)
{
return $str;
}
$str = html_entity_decode($str, ENT_COMPAT, $charset);
$str = preg_replace(\'~&#x(0*[0-9a-f]{2,5})~ei\', \'chr(hexdec(\"\\\\1\"))\', $str);
return preg_replace(\'~&#([0-9]{2,4})~e\', \'chr(\\\\1)\', $str);<br /> }<br /> // --------------------------------------------------------------------<br /> //过滤文件名,保证文件名安全<br /> public function sanitize_filename($str, $relative_path = FALSE)<br /> {<br /> $bad = array(<br /> \"../\",<br /> \"<!--\",<br /> \"-->\",<br /> \"<\",<br /> \">\",<br /> \"\'\",<br /> \'\"\',<br /> \'&\',<br /> \'$\',<br /> \'#\',<br /> \'{\',<br /> \'}\',<br /> \'[\',<br /> \']\',<br /> \'=\',<br /> \';\',<br /> \'?\',<br /> \"%20\",<br /> \"%22\",<br /> \"%3c\", // <<br /> \"%253c\", // <<br /> \"%3e\", // ><br /> \"%0e\", // ><br /> \"%28\", // (<br /> \"%29\", // )<br /> \"%2528\", // (<br /> \"%26\", // &<br /> \"%24\", // $<br /> \"%3f\", // ?<br /> \"%3b\", // ;<br /> \"%3d\" // =<br /> );<br /> if ( ! $relative_path)<br /> {<br /> $bad[] = \'./\';<br /> $bad[] = \'/\';<br /> }<br /> $str = remove_invisible_characters($str, FALSE);<br /> return stripslashes(str_replace($bad, \'\', $str));<br /> }<br /> //压缩单词如j a v a s c r i p t成javascript<br /> protected function _compact_exploded_words($matches)<br /> {<br /> return preg_replace(\'/\\s+/s\', \'\', $matches[1]).$matches[2];<br /> }<br /> // --------------------------------------------------------------------<br /> /*<br /> * 去掉一些危害的html属性<br /> */<br /> protected function _remove_evil_attributes($str, $is_image)<br /> {<br /> // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns<br /> $evil_attributes = array(\'on\\w*\', \'style\', \'xmlns\', \'formaction\');<br /> if ($is_image === TRUE)<br /> {<br /> /*<br /> * Adobe Photoshop puts XML metadata into JFIF images, <br /> * including namespacing, so we have to allow this for images.<br /> */<br /> unset($evil_attributes[array_search(\'xmlns\', $evil_attributes)]);<br /> }<br /> do {<br /> $count = 0;<br /> $attribs = array();<br /> // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)<br /> preg_match_all(\'/(\'.implode(\'|\', $evil_attributes).\')\\s*=\\s*(\\042|\\047)([^\\\\2]*?)(\\\\2)/is\', $str, $matches, PREG_SET_ORDER);<br /> foreach ($matches as $attr)<br /> {<br /> $attribs[] = preg_quote($attr[0], \'/\');<br /> }<br /> // find occurrences of illegal attribute strings without quotes<br /> preg_match_all(\'/(\'.implode(\'|\', $evil_attributes).\')\\s*=\\s*([^\\s>]*)/is\', $str, $matches, PREG_SET_ORDER);<br /> foreach ($matches as $attr)<br /> {<br /> $attribs[] = preg_quote($attr[0], \'/\');<br /> }<br /> // replace illegal attribute strings that are inside an html tag<br /> if (count($attribs) > 0)<br /> {<br /> $str = preg_replace(\'/(<?)(\\/?[^><]+?)([^A-Za-z<>\\-])(.*?)(\'.implode(\'|\', $attribs).\')(.*?)([\\s><]?)([><]*)/i\', \'$1$2 $4$6$7$8\', $str, -1, $count);<br /> }<br /> } while ($count);<br /> return $str;<br /> }<br /> // --------------------------------------------------------------------<br /> /**<br /> * 净化html,补齐未关闭的标签<br /> */<br /> protected function _sanitize_naughty_html($matches)<br /> {<br /> // encode opening brace<br /> $str = \'<\'.$matches[1].$matches[2].$matches[3];<br /> // encode captured opening or closing brace to prevent recursive vectors<br /> $str .= str_replace(array(\'>\', \'<\'), array(\'>\', \'<\'),<br /> $matches[4]);<br /> return $str;<br /> }<br /> // --------------------------------------------------------------------<br /> /**<br /> * 过滤超链接中js<br /> */<br /> protected function _js_link_removal($match)<br /> {<br /> return str_replace(<br /> $match[1],<br /> preg_replace(<br /> \'#href=.*?(alert\\(|alert&\\#40;|javascript\\:|livescript\\:|mocha\\:|charset\\=|window\\.|document\\.|\\.cookie|<script|<xss|data\\s*:)#si\',<br /> \'\',<br /> $this->_filter_attributes(str_replace(array(\'<\', \'>\'), \'\', $match[1]))<br /> ),<br /> $match[0]<br /> );<br /> }<br /> // --------------------------------------------------------------------<br /> /**<br /> * 过滤图片链接中的js<br /> */<br /> protected function _js_img_removal($match)<br /> {<br /> return str_replace(<br /> $match[1],<br /> preg_replace(<br /> \'#src=.*?(alert\\(|alert&\\#40;|javascript\\:|livescript\\:|mocha\\:|charset\\=|window\\.|document\\.|\\.cookie|<script|<xss|base64\\s*,)#si\',<br /> \'\',<br /> $this->_filter_attributes(str_replace(array(\'<\', \'>\'), \'\', $match[1]))<br /> ),<br /> $match[0]<br /> );<br /> }<br /> // --------------------------------------------------------------------<br /> /**<br /> * 转换属性,将一些字符转换成实体<br /> */<br /> protected function _convert_attribute($match)<br /> {<br /> return str_replace(array(\'>\', \'<\', \'\\\\\'), array(\'>\', \'<\', \'\\\\\\\\\'), $match[0]);<br /> }<br /> // --------------------------------------------------------------------<br /> //过滤html标签属性<br /> protected function _filter_attributes($str)<br /> {<br /> $out = \'\';<br /> if (preg_match_all(\'#\\s*[a-z\\-]+\\s*=\\s*(\\042|\\047)([^\\\\1]*?)\\\\1#is\', $str, $matches))<br /> {<br /> foreach ($matches[0] as $match)<br /> {<br /> $out .= preg_replace(\"#/\\*.*?\\*/#s\", \'\', $match);<br /> }<br /> }<br /> return $out;<br /> }<br /> // --------------------------------------------------------------------<br /> //html实体转码<br /> protected function _decode_entity($match)<br /> {<br /> return $this->entity_decode($match[0], strtoupper(config_item(\'charset\')));<br /> }<br /> // --------------------------------------------------------------------<br /> /**<br /> * 验证url实体<br /> */<br /> protected function _validate_entities($str)<br /> {<br /> /*<br /> * Protect GET variables in URLs<br /> */<br /> // 901119URL5918AMP18930PROTECT8198<br /> $str = preg_replace(\'|\\&([a-z\\_0-9\\-]+)\\=([a-z\\_0-9\\-]+)|i\', $this->xss_hash().\"\\\\1=\\\\2\", $str);<br /> /*<br /> * Validate standard character entities<br /> *<br /> * Add a semicolon if missing. We do this to enable<br /> * the conversion of entities to ASCII later.<br /> *<br /> */<br /> $str = preg_replace(\'#(&\\#?[0-9a-z]{2,})([\\x00-\\x20])*;?#i\', \"\\\\1;\\\\2\", $str);<br /> /*<br /> * Validate UTF16 two byte encoding (x00)<br /> *<br /> * Just as above, adds a semicolon if missing.<br /> *<br /> */<br /> $str = preg_replace(\'#(&\\#x?)([0-9A-F]+);?#i\',\"\\\\1\\\\2;\",$str);<br /> /*<br /> * Un-Protect GET variables in URLs<br /> */<br /> $str = str_replace($this->xss_hash(), \'&\', $str);<br /> return $str;<br /> }<br /> // ----------------------------------------------------------------------<br /> //过滤不允许出现的字符串<br /> protected function _do_never_allowed($str)<br /> {<br /> $str = str_replace(array_keys($this->_never_allowed_str), $this->_never_allowed_str, $str);<br /> foreach ($this->_never_allowed_regex as $regex)<br /> {<br /> $str = preg_replace(\'#\'.$regex.\'#is\', \'[removed]\', $str);<br /> }<br /> return $str;<br /> }<br /> // --------------------------------------------------------------------<br /> //设置csrf的hash值<br /> protected function _csrf_set_hash()<br /> {<br /> if ($this->_csrf_hash == \'\')<br /> {<br /> // 如果_csrf_cookie_name存在,直接作为csrf hash值<br /> if (isset($_COOKIE[$this->_csrf_cookie_name]) &&<br /> preg_match(\'#^[0-9a-f]{32}$#iS\', $_COOKIE[$this->_csrf_cookie_name]) === 1)<br /> {<br /> return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name];<br /> }<br /> //否则随机一个md5字符串<br /> return $this->_csrf_hash = md5(uniqid(rand(), TRUE));<br /> }<br /> return $this->_csrf_hash;<br /> }<br /> }<br /> </div></p> </div> </section> <section class=\"xgwz\"> <b>【热门文章】</b> <ul> <li><a href=\"/b.php/58212.html\">jQuery 选择同时包含两个class的元素的实现方法</a></li><li><a href=\"/b.php/58213.html\">javascript数组去重小结</a></li><li><a href=\"/b.php/58214.html\">jQuery动态修改超链接地址的方法</a></li><li><a href=\"/b.php/58215.html\">JS实现漂亮的窗口拖拽效果(可改变大小、最大化、最小化、关闭)</a></li><li><a href=\"/b.php/58216.html\">JavaScript SHA512&SHA256加密算法详解</a></li><li><a href=\"/b.php/58217.html\">Mybatis控制台打印Sql语句的实现代码</a></li><li><a href=\"/b.php/58218.html\">使用OpenLayers3 添加地图鼠标右键菜单</a></li><li><a href=\"/b.php/58219.html\">js对图片base64编码字符串进行解码并输出图像示例</a></li><li><a href=\"/b.php/58220.html\">浅谈对Jquery+JSON+WebService的使用小结</a></li><li><a href=\"/b.php/58221.html\">厚积薄发,拥抱.NET 2016</a></li><li><a href=\"/b.php/58222.html\">jQery ajax——load()方法示例介绍</a></li><li><a href=\"/b.php/58223.html\">PhpMyAdmin 配置文件现在需要一个短语密码的解决方法</a></li><li><a href=\"/b.php/58224.html\">完美解决Get和Post请求中文乱码的问题</a></li><li><a href=\"/b.php/58225.html\">IE浏览器IFrame对象内存不释放问题解决方法</a></li><li><a href=\"/b.php/58226.html\">Win10/wp开发者可申请Xamarin工具免费订阅 8月31日结束</a></li><li><a href=\"/b.php/58227.html\">javascript计算用户打开网页的停留时间</a></li><li><a href=\"/b.php/58228.html\">jQuery的promise与deferred对象在异步回调中的作用</a></li><li><a href=\"/b.php/58229.html\">CentOS下重新安装yum的方法分享</a></li><li><a href=\"/b.php/58230.html\">HTML5 Canvas画线技巧——实现绘制一个像素宽的细线</a></li><li><a href=\"/b.php/58231.html\">Win10 Mobile预览版10149慢速版正式推送</a></li><li><a href=\"/b.php/58232.html\">Android BottomNavigationBar底部导航控制器使用方法详解</a></li><li><a href=\"/b.php/58233.html\">C#实现获取系统目录并以Tree树叉显示的方法</a></li><li><a href=\"/b.php/58234.html\">android开发教程之自定义属性用法详解</a></li><li><a href=\"/b.php/58235.html\">左定宽度右自适应宽度并且等高布局实现代码</a></li></ul> </section> <section class=\"xgwz\"> <b>【热门文章】</b> <ul> <li><a href=\"/c.php/61494.html\">如何以数组中对象的某个字段为基准重新排列数组的内容</a></li><li><a href=\"/c.php/61495.html\">nginx 匹配问题求解???</a></li><li><a href=\"/c.php/61496.html\">新手问个jquery的问题</a></li><li><a href=\"/c.php/61497.html\">求助,怎么推input里的图片?</a></li><li><a href=\"/c.php/61498.html\">jQuery对元素进行拖动并重新排序 ??</a></li><li><a href=\"/c.php/61499.html\">百度首页输入框里的那个相机图片是怎么添加的</a></li><li><a href=\"/c.php/61500.html\">【解决】[jQuery]mouseover,mouseenter,快速移动失效的问题。</a></li><li><a href=\"/c.php/61501.html\">jar包Main-Class设置</a></li><li><a href=\"/c.php/61502.html\">ssl加密访问证书不受信任</a></li><li><a href=\"/c.php/61503.html\">form外边的a怎样处罚input中required属性?</a></li><li><a href=\"/c.php/61504.html\">js中,字符串字面量和通过构造函数得到字符串有什么本质区别嘛?</a></li><li><a href=\"/c.php/61505.html\">关于源码学习的问题</a></li><li><a href=\"/c.php/61506.html\">python sql insert into报错</a></li><li><a href=\"/c.php/61507.html\">有没有什么算法,或者利用深度学习能自动生成好听的旋律呢?</a></li><li><a href=\"/c.php/61508.html\">这个图是怎么弄的?</a></li><li><a href=\"/c.php/61509.html\">关于CentOS、Ubuntu、Fedora等Linux系统</a></li><li><a href=\"/c.php/61510.html\">Map<?,?>作为参数有什么缺点吗?对于数组的分组大家有什么好的方法或者建议?</a></li><li><a href=\"/c.php/61511.html\">php的curl里面在获取页面html数据的时候能指定获取的字节数吗?</a></li><li><a href=\"/c.php/61512.html\">超大型网站中多个模块间是否有事务约束?</a></li><li><a href=\"/c.php/61513.html\">关于表格样式 border-color设置没有反应??怎么办</a></li></ul> </section> <section class=\"cont pl\" id=\"comment\"><b></b> <div id=\"SOHUCS\" sid=\"art_104965\"></div> </section> <div class=\"search\"> <form action=\"https://zhannei.baidu.com/cse/search\" method=\"get\" target=\"_blank\" class=\"bdcs-search-form\" id=\"bdcs-search-form\"> <input name=\"s\" value=\"12351952642737355179\" type=\"hidden\"> <input name=\"entry\" value=\"1\" type=\"hidden\"> <input name=\"ie\" value=\"gbk\" type=\"hidden\"> <input name=\"nsid\" value=\"1\" type=\"hidden\"> <input type=\"text\" placeholder=\"请输入您感兴趣的关键字\" value=\"\" id=\"search_txt1\" maxlength=\"18\" class=\"search_txt\" name=\"q\"> <input class=\"search_btn\" value=\"搜 索\" type=\"submit\"> </form> </div> <nav class=\"nav-foot\"> <ul> <li><a href=\"/jiaotong/huoche/\">火车</a></li> <li><a href=\"/jiaotong/gaotie/\">高铁</a></li> <li><a href=\"/jiaotong/qiche/\">汽车</a></li> <li><a href=\"/jiaotong/gongjiao/\">公交</a></li> <li><a href=\"/jiaotong/zijia/\">自驾</a></li> <li><a href=\"/jiaotong/licheng/\">里程</a></li> <li> <a href=\"/jiaotong/jingdian/\">景点</a></li> <li><a href=\"/jiaotong/gonglue/\">攻略</a></li> <li><a href=\"/jiaotong/wen/\">问路</a></li> <li><a href=\"/\">计算机</a></li> </ul> <ul> <li><a href=\"/\">首页</a></li> <li><a href=\"/jiaotong/huoche/\">火车</a></li> <li><a href=\"/jiaotong/gaotie/\">高铁</a></li> <li><a href=\"/jiaotong/qiche/\">汽车</a></li> <li><a href=\"/jiaotong/gongjiao/\">公交</a></li> </ul> </nav> <footer class=\"footer-min\"> <div class=\"app\"> <a href=\"javascript:void(0)\" class=\"pc\">电脑版</a> - <a href=\"/\">返回首页</a></div> <div class=\"copyright\">Copyright ©2017 <a href=\"/\">交通频道</a> All Rights Reserved</div> </footer> <div class=\"clearfix\"></div> <div class=\"asd\"><span id=\"asd-footer\" class=\"jbTestPos\"><script>gx(4);</script></span></div> <script> var path_url=\"/b.php/82451.html\"; </script> <script type=\"text/javascript\" src=\"/img/jquery-1.10.2.min.js\"></script> <script type=\"text/javascript\" src=\"/img/menuclick.js\"></script> <br> <script> var _hmt = _hmt || []; (function() { var hm = document.createElement(\"script\"); hm.src = \"https://hm.baidu.com/hm.js?f49259577e665d3edc5d77c987b50ef7\"; var s = document.getElementsByTagName(\"script\")[0]; s.parentNode.insertBefore(hm, s); })(); </script> </div> </body> </html>
*
* Note: Use rawurldecode() so it does not remove plus signs
*
*/
$str = rawurldecode($str);
/*
* Convert character entities to ASCII
*
* This permits our tests below to work reliably.
* We only convert entities that are within tags since
* these are the ones that will pose security problems.
*
*/
$str = preg_replace_callback(\"/[a-z]+=([\\\'\\\"]).*?\\\\1/si\", array($this, \'_convert_attribute\'), $str);
$str = preg_replace_callback(\"/<\\w+.*?(?=>|<|$)/si\", array($this, \'_decode_entity\'), $str);
/*
* Remove Invisible Characters Again!
*/
$str = remove_invisible_characters($str);
/*
* Convert all tabs to spaces
*
* This prevents strings like this: ja vascript
* NOTE: we deal with spaces between characters later.
* NOTE: preg_replace was found to be amazingly slow here on
* large blocks of data, so we use str_replace.
*/
if (strpos($str, \"\\t\") !== FALSE)
{
$str = str_replace(\"\\t\", \' \', $str);
}
/*
* Capture converted string for later comparison
*/
$converted_string = $str;
// Remove Strings that are never allowed
$str = $this->_do_never_allowed($str);
/*
* Makes PHP tags safe
*
* Note: XML tags are inadvertently replaced too:
*
* <?xml
*
* But it doesn\'t seem to pose a problem.
*/
if ($is_image === TRUE)
{
// Images have a tendency to have the PHP short opening and
// closing tags every so often so we skip those and only
// do the long opening tags.
$str = preg_replace(\'/<\\?(php)/i\', \"<?\\\\1\", $str);
}
else
{
$str = str_replace(array(\'<?\', \'?\'.\'>\'), array(\'<?\', \'?>\'), $str);
}
/*
* Compact any exploded words
*
* This corrects words like: j a v a s c r i p t
* These words are compacted back to their correct state.
*/
$words = array(
\'javascript\', \'expression\', \'vbscript\', \'script\', \'base64\',
\'applet\', \'alert\', \'document\', \'write\', \'cookie\', \'window\'
);
foreach ($words as $word)
{
$temp = \'\';
for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)
{
$temp .= substr($word, $i, 1).\"\\s*\";
}
// We only want to do this when it is followed by a non-word character
// That way valid stuff like \"dealer to\" does not become \"dealerto\"
$str = preg_replace_callback(\'#(\'.substr($temp, 0, -3).\')(\\W)#is\', array($this, \'_compact_exploded_words\'), $str);
}
/*
* Remove disallowed Javascript in links or img tags
* We used to do some version comparisons and use of stripos for PHP5,
* but it is dog slow compared to these simplified non-capturing
* preg_match(), especially if the pattern exists in the string
*/
do
{
$original = $str;
if (preg_match(\"/<a/i\", $str))
{
$str = preg_replace_callback(\"#<a\\s+([^>]*?)(>|$)#si\", array($this, \'_js_link_removal\'), $str);
}
if (preg_match(\"/<img/i\", $str))
{
$str = preg_replace_callback(\"#<img\\s+([^>]*?)(\\s?/?>|$)#si\", array($this, \'_js_img_removal\'), $str);
}
if (preg_match(\"/script/i\", $str) OR preg_match(\"/xss/i\", $str))
{
$str = preg_replace(\"#<(/*)(script|xss)(.*?)\\>#si\", \'[removed]\', $str);
}
}
while($original != $str);
unset($original);
// Remove evil attributes such as style, onclick and xmlns
$str = $this->_remove_evil_attributes($str, $is_image);
/*
* Sanitize naughty HTML elements
*
* If a tag containing any of the words in the list
* below is found, the tag gets converted to entities.
*
* So this: <blink>
* Becomes: <blink>
*/
$naughty = \'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss\';
$str = preg_replace_callback(\'#<(/*\\s*)(\'.$naughty.\')([^><]*)([><]*)#is\', array($this, \'_sanitize_naughty_html\'), $str);
/*
* Sanitize naughty scripting elements
*
* Similar to above, only instead of looking for
* tags it looks for PHP and JavaScript commands
* that are disallowed. Rather than removing the
* code, it simply converts the parenthesis to entities
* rendering the code un-executable.
*
* For example: eval(\'some code\')
* Becomes: eval(\'some code\')
*/
$str = preg_replace(\'#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\\s*)\\((.*?)\\)#si\', \"\\\\1\\\\2(\\\\3)\", $str);
// Final clean up
// This adds a bit of extra precaution in case
// something got through the above filters
$str = $this->_do_never_allowed($str);
/*
* Images are Handled in a Special Way
* - Essentially, we want to know that after all of the character
* conversion is done whether any unwanted, likely XSS, code was found.
* If not, we return TRUE, as the image is clean.
* However, if the string post-conversion does not matched the
* string post-removal of XSS, then it fails, as there was unwanted XSS
* code found and removed/changed during processing.
*/
if ($is_image === TRUE)
{
return ($str == $converted_string) ? TRUE: FALSE;
}
log_message(\'debug\', \"XSS Filtering completed\");
return $str;
}
// --------------------------------------------------------------------
//保护url的随机hash值
public function xss_hash()
{
if ($this->_xss_hash == \'\')
{
mt_srand();
$this->_xss_hash = md5(time() + mt_rand(0, 1999999999));
}
return $this->_xss_hash;
}
// --------------------------------------------------------------------
/**
* html实体转码
*/
public function entity_decode($str, $charset=\'UTF-8\')
{
if (stristr($str, \'&\') === FALSE)
{
return $str;
}
$str = html_entity_decode($str, ENT_COMPAT, $charset);
$str = preg_replace(\'~&#x(0*[0-9a-f]{2,5})~ei\', \'chr(hexdec(\"\\\\1\"))\', $str);
return preg_replace(\'~&#([0-9]{2,4})~e\', \'chr(\\\\1)\', $str);<br /> }<br /> // --------------------------------------------------------------------<br /> //过滤文件名,保证文件名安全<br /> public function sanitize_filename($str, $relative_path = FALSE)<br /> {<br /> $bad = array(<br /> \"../\",<br /> \"<!--\",<br /> \"-->\",<br /> \"<\",<br /> \">\",<br /> \"\'\",<br /> \'\"\',<br /> \'&\',<br /> \'$\',<br /> \'#\',<br /> \'{\',<br /> \'}\',<br /> \'[\',<br /> \']\',<br /> \'=\',<br /> \';\',<br /> \'?\',<br /> \"%20\",<br /> \"%22\",<br /> \"%3c\", // <<br /> \"%253c\", // <<br /> \"%3e\", // ><br /> \"%0e\", // ><br /> \"%28\", // (<br /> \"%29\", // )<br /> \"%2528\", // (<br /> \"%26\", // &<br /> \"%24\", // $<br /> \"%3f\", // ?<br /> \"%3b\", // ;<br /> \"%3d\" // =<br /> );<br /> if ( ! $relative_path)<br /> {<br /> $bad[] = \'./\';<br /> $bad[] = \'/\';<br /> }<br /> $str = remove_invisible_characters($str, FALSE);<br /> return stripslashes(str_replace($bad, \'\', $str));<br /> }<br /> //压缩单词如j a v a s c r i p t成javascript<br /> protected function _compact_exploded_words($matches)<br /> {<br /> return preg_replace(\'/\\s+/s\', \'\', $matches[1]).$matches[2];<br /> }<br /> // --------------------------------------------------------------------<br /> /*<br /> * 去掉一些危害的html属性<br /> */<br /> protected function _remove_evil_attributes($str, $is_image)<br /> {<br /> // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns<br /> $evil_attributes = array(\'on\\w*\', \'style\', \'xmlns\', \'formaction\');<br /> if ($is_image === TRUE)<br /> {<br /> /*<br /> * Adobe Photoshop puts XML metadata into JFIF images, <br /> * including namespacing, so we have to allow this for images.<br /> */<br /> unset($evil_attributes[array_search(\'xmlns\', $evil_attributes)]);<br /> }<br /> do {<br /> $count = 0;<br /> $attribs = array();<br /> // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)<br /> preg_match_all(\'/(\'.implode(\'|\', $evil_attributes).\')\\s*=\\s*(\\042|\\047)([^\\\\2]*?)(\\\\2)/is\', $str, $matches, PREG_SET_ORDER);<br /> foreach ($matches as $attr)<br /> {<br /> $attribs[] = preg_quote($attr[0], \'/\');<br /> }<br /> // find occurrences of illegal attribute strings without quotes<br /> preg_match_all(\'/(\'.implode(\'|\', $evil_attributes).\')\\s*=\\s*([^\\s>]*)/is\', $str, $matches, PREG_SET_ORDER);<br /> foreach ($matches as $attr)<br /> {<br /> $attribs[] = preg_quote($attr[0], \'/\');<br /> }<br /> // replace illegal attribute strings that are inside an html tag<br /> if (count($attribs) > 0)<br /> {<br /> $str = preg_replace(\'/(<?)(\\/?[^><]+?)([^A-Za-z<>\\-])(.*?)(\'.implode(\'|\', $attribs).\')(.*?)([\\s><]?)([><]*)/i\', \'$1$2 $4$6$7$8\', $str, -1, $count);<br /> }<br /> } while ($count);<br /> return $str;<br /> }<br /> // --------------------------------------------------------------------<br /> /**<br /> * 净化html,补齐未关闭的标签<br /> */<br /> protected function _sanitize_naughty_html($matches)<br /> {<br /> // encode opening brace<br /> $str = \'<\'.$matches[1].$matches[2].$matches[3];<br /> // encode captured opening or closing brace to prevent recursive vectors<br /> $str .= str_replace(array(\'>\', \'<\'), array(\'>\', \'<\'),<br /> $matches[4]);<br /> return $str;<br /> }<br /> // --------------------------------------------------------------------<br /> /**<br /> * 过滤超链接中js<br /> */<br /> protected function _js_link_removal($match)<br /> {<br /> return str_replace(<br /> $match[1],<br /> preg_replace(<br /> \'#href=.*?(alert\\(|alert&\\#40;|javascript\\:|livescript\\:|mocha\\:|charset\\=|window\\.|document\\.|\\.cookie|<script|<xss|data\\s*:)#si\',<br /> \'\',<br /> $this->_filter_attributes(str_replace(array(\'<\', \'>\'), \'\', $match[1]))<br /> ),<br /> $match[0]<br /> );<br /> }<br /> // --------------------------------------------------------------------<br /> /**<br /> * 过滤图片链接中的js<br /> */<br /> protected function _js_img_removal($match)<br /> {<br /> return str_replace(<br /> $match[1],<br /> preg_replace(<br /> \'#src=.*?(alert\\(|alert&\\#40;|javascript\\:|livescript\\:|mocha\\:|charset\\=|window\\.|document\\.|\\.cookie|<script|<xss|base64\\s*,)#si\',<br /> \'\',<br /> $this->_filter_attributes(str_replace(array(\'<\', \'>\'), \'\', $match[1]))<br /> ),<br /> $match[0]<br /> );<br /> }<br /> // --------------------------------------------------------------------<br /> /**<br /> * 转换属性,将一些字符转换成实体<br /> */<br /> protected function _convert_attribute($match)<br /> {<br /> return str_replace(array(\'>\', \'<\', \'\\\\\'), array(\'>\', \'<\', \'\\\\\\\\\'), $match[0]);<br /> }<br /> // --------------------------------------------------------------------<br /> //过滤html标签属性<br /> protected function _filter_attributes($str)<br /> {<br /> $out = \'\';<br /> if (preg_match_all(\'#\\s*[a-z\\-]+\\s*=\\s*(\\042|\\047)([^\\\\1]*?)\\\\1#is\', $str, $matches))<br /> {<br /> foreach ($matches[0] as $match)<br /> {<br /> $out .= preg_replace(\"#/\\*.*?\\*/#s\", \'\', $match);<br /> }<br /> }<br /> return $out;<br /> }<br /> // --------------------------------------------------------------------<br /> //html实体转码<br /> protected function _decode_entity($match)<br /> {<br /> return $this->entity_decode($match[0], strtoupper(config_item(\'charset\')));<br /> }<br /> // --------------------------------------------------------------------<br /> /**<br /> * 验证url实体<br /> */<br /> protected function _validate_entities($str)<br /> {<br /> /*<br /> * Protect GET variables in URLs<br /> */<br /> // 901119URL5918AMP18930PROTECT8198<br /> $str = preg_replace(\'|\\&([a-z\\_0-9\\-]+)\\=([a-z\\_0-9\\-]+)|i\', $this->xss_hash().\"\\\\1=\\\\2\", $str);<br /> /*<br /> * Validate standard character entities<br /> *<br /> * Add a semicolon if missing. We do this to enable<br /> * the conversion of entities to ASCII later.<br /> *<br /> */<br /> $str = preg_replace(\'#(&\\#?[0-9a-z]{2,})([\\x00-\\x20])*;?#i\', \"\\\\1;\\\\2\", $str);<br /> /*<br /> * Validate UTF16 two byte encoding (x00)<br /> *<br /> * Just as above, adds a semicolon if missing.<br /> *<br /> */<br /> $str = preg_replace(\'#(&\\#x?)([0-9A-F]+);?#i\',\"\\\\1\\\\2;\",$str);<br /> /*<br /> * Un-Protect GET variables in URLs<br /> */<br /> $str = str_replace($this->xss_hash(), \'&\', $str);<br /> return $str;<br /> }<br /> // ----------------------------------------------------------------------<br /> //过滤不允许出现的字符串<br /> protected function _do_never_allowed($str)<br /> {<br /> $str = str_replace(array_keys($this->_never_allowed_str), $this->_never_allowed_str, $str);<br /> foreach ($this->_never_allowed_regex as $regex)<br /> {<br /> $str = preg_replace(\'#\'.$regex.\'#is\', \'[removed]\', $str);<br /> }<br /> return $str;<br /> }<br /> // --------------------------------------------------------------------<br /> //设置csrf的hash值<br /> protected function _csrf_set_hash()<br /> {<br /> if ($this->_csrf_hash == \'\')<br /> {<br /> // 如果_csrf_cookie_name存在,直接作为csrf hash值<br /> if (isset($_COOKIE[$this->_csrf_cookie_name]) &&<br /> preg_match(\'#^[0-9a-f]{32}$#iS\', $_COOKIE[$this->_csrf_cookie_name]) === 1)<br /> {<br /> return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name];<br /> }<br /> //否则随机一个md5字符串<br /> return $this->_csrf_hash = md5(uniqid(rand(), TRUE));<br /> }<br /> return $this->_csrf_hash;<br /> }<br /> }<br /> </div></p> </div> </section> <section class=\"xgwz\"> <b>【热门文章】</b> <ul> <li><a href=\"/b.php/58212.html\">jQuery 选择同时包含两个class的元素的实现方法</a></li><li><a href=\"/b.php/58213.html\">javascript数组去重小结</a></li><li><a href=\"/b.php/58214.html\">jQuery动态修改超链接地址的方法</a></li><li><a href=\"/b.php/58215.html\">JS实现漂亮的窗口拖拽效果(可改变大小、最大化、最小化、关闭)</a></li><li><a href=\"/b.php/58216.html\">JavaScript SHA512&SHA256加密算法详解</a></li><li><a href=\"/b.php/58217.html\">Mybatis控制台打印Sql语句的实现代码</a></li><li><a href=\"/b.php/58218.html\">使用OpenLayers3 添加地图鼠标右键菜单</a></li><li><a href=\"/b.php/58219.html\">js对图片base64编码字符串进行解码并输出图像示例</a></li><li><a href=\"/b.php/58220.html\">浅谈对Jquery+JSON+WebService的使用小结</a></li><li><a href=\"/b.php/58221.html\">厚积薄发,拥抱.NET 2016</a></li><li><a href=\"/b.php/58222.html\">jQery ajax——load()方法示例介绍</a></li><li><a href=\"/b.php/58223.html\">PhpMyAdmin 配置文件现在需要一个短语密码的解决方法</a></li><li><a href=\"/b.php/58224.html\">完美解决Get和Post请求中文乱码的问题</a></li><li><a href=\"/b.php/58225.html\">IE浏览器IFrame对象内存不释放问题解决方法</a></li><li><a href=\"/b.php/58226.html\">Win10/wp开发者可申请Xamarin工具免费订阅 8月31日结束</a></li><li><a href=\"/b.php/58227.html\">javascript计算用户打开网页的停留时间</a></li><li><a href=\"/b.php/58228.html\">jQuery的promise与deferred对象在异步回调中的作用</a></li><li><a href=\"/b.php/58229.html\">CentOS下重新安装yum的方法分享</a></li><li><a href=\"/b.php/58230.html\">HTML5 Canvas画线技巧——实现绘制一个像素宽的细线</a></li><li><a href=\"/b.php/58231.html\">Win10 Mobile预览版10149慢速版正式推送</a></li><li><a href=\"/b.php/58232.html\">Android BottomNavigationBar底部导航控制器使用方法详解</a></li><li><a href=\"/b.php/58233.html\">C#实现获取系统目录并以Tree树叉显示的方法</a></li><li><a href=\"/b.php/58234.html\">android开发教程之自定义属性用法详解</a></li><li><a href=\"/b.php/58235.html\">左定宽度右自适应宽度并且等高布局实现代码</a></li></ul> </section> <section class=\"xgwz\"> <b>【热门文章】</b> <ul> <li><a href=\"/c.php/61494.html\">如何以数组中对象的某个字段为基准重新排列数组的内容</a></li><li><a href=\"/c.php/61495.html\">nginx 匹配问题求解???</a></li><li><a href=\"/c.php/61496.html\">新手问个jquery的问题</a></li><li><a href=\"/c.php/61497.html\">求助,怎么推input里的图片?</a></li><li><a href=\"/c.php/61498.html\">jQuery对元素进行拖动并重新排序 ??</a></li><li><a href=\"/c.php/61499.html\">百度首页输入框里的那个相机图片是怎么添加的</a></li><li><a href=\"/c.php/61500.html\">【解决】[jQuery]mouseover,mouseenter,快速移动失效的问题。</a></li><li><a href=\"/c.php/61501.html\">jar包Main-Class设置</a></li><li><a href=\"/c.php/61502.html\">ssl加密访问证书不受信任</a></li><li><a href=\"/c.php/61503.html\">form外边的a怎样处罚input中required属性?</a></li><li><a href=\"/c.php/61504.html\">js中,字符串字面量和通过构造函数得到字符串有什么本质区别嘛?</a></li><li><a href=\"/c.php/61505.html\">关于源码学习的问题</a></li><li><a href=\"/c.php/61506.html\">python sql insert into报错</a></li><li><a href=\"/c.php/61507.html\">有没有什么算法,或者利用深度学习能自动生成好听的旋律呢?</a></li><li><a href=\"/c.php/61508.html\">这个图是怎么弄的?</a></li><li><a href=\"/c.php/61509.html\">关于CentOS、Ubuntu、Fedora等Linux系统</a></li><li><a href=\"/c.php/61510.html\">Map<?,?>作为参数有什么缺点吗?对于数组的分组大家有什么好的方法或者建议?</a></li><li><a href=\"/c.php/61511.html\">php的curl里面在获取页面html数据的时候能指定获取的字节数吗?</a></li><li><a href=\"/c.php/61512.html\">超大型网站中多个模块间是否有事务约束?</a></li><li><a href=\"/c.php/61513.html\">关于表格样式 border-color设置没有反应??怎么办</a></li></ul> </section> <section class=\"cont pl\" id=\"comment\"><b></b> <div id=\"SOHUCS\" sid=\"art_104965\"></div> </section> <div class=\"search\"> <form action=\"https://zhannei.baidu.com/cse/search\" method=\"get\" target=\"_blank\" class=\"bdcs-search-form\" id=\"bdcs-search-form\"> <input name=\"s\" value=\"12351952642737355179\" type=\"hidden\"> <input name=\"entry\" value=\"1\" type=\"hidden\"> <input name=\"ie\" value=\"gbk\" type=\"hidden\"> <input name=\"nsid\" value=\"1\" type=\"hidden\"> <input type=\"text\" placeholder=\"请输入您感兴趣的关键字\" value=\"\" id=\"search_txt1\" maxlength=\"18\" class=\"search_txt\" name=\"q\"> <input class=\"search_btn\" value=\"搜 索\" type=\"submit\"> </form> </div> <nav class=\"nav-foot\"> <ul> <li><a href=\"/jiaotong/huoche/\">火车</a></li> <li><a href=\"/jiaotong/gaotie/\">高铁</a></li> <li><a href=\"/jiaotong/qiche/\">汽车</a></li> <li><a href=\"/jiaotong/gongjiao/\">公交</a></li> <li><a href=\"/jiaotong/zijia/\">自驾</a></li> <li><a href=\"/jiaotong/licheng/\">里程</a></li> <li> <a href=\"/jiaotong/jingdian/\">景点</a></li> <li><a href=\"/jiaotong/gonglue/\">攻略</a></li> <li><a href=\"/jiaotong/wen/\">问路</a></li> <li><a href=\"/\">计算机</a></li> </ul> <ul> <li><a href=\"/\">首页</a></li> <li><a href=\"/jiaotong/huoche/\">火车</a></li> <li><a href=\"/jiaotong/gaotie/\">高铁</a></li> <li><a href=\"/jiaotong/qiche/\">汽车</a></li> <li><a href=\"/jiaotong/gongjiao/\">公交</a></li> </ul> </nav> <footer class=\"footer-min\"> <div class=\"app\"> <a href=\"javascript:void(0)\" class=\"pc\">电脑版</a> - <a href=\"/\">返回首页</a></div> <div class=\"copyright\">Copyright ©2017 <a href=\"/\">交通频道</a> All Rights Reserved</div> </footer> <div class=\"clearfix\"></div> <div class=\"asd\"><span id=\"asd-footer\" class=\"jbTestPos\"><script>gx(4);</script></span></div> <script> var path_url=\"/b.php/82451.html\"; </script> <script type=\"text/javascript\" src=\"/img/jquery-1.10.2.min.js\"></script> <script type=\"text/javascript\" src=\"/img/menuclick.js\"></script> <br> <script> var _hmt = _hmt || []; (function() { var hm = document.createElement(\"script\"); hm.src = \"https://hm.baidu.com/hm.js?f49259577e665d3edc5d77c987b50ef7\"; var s = document.getElementsByTagName(\"script\")[0]; s.parentNode.insertBefore(hm, s); })(); </script> </div> </body> </html>
本文地址:https://www.stayed.cn/item/877
转载请注明出处。
本站部分内容来源于网络,如侵犯到您的权益,请 联系我
我的博客
人生若只如初见,何事秋风悲画扇。
我的标签
随笔档案
- 2024-02(2)
- 2023-06(1)
- 2023-05(1)
- 2023-04(14)
- 2023-03(3)
- 2023-01(6)
- 2022-12(5)
- 2022-11(5)
- 2022-07(2)
- 2022-06(4)
- 2022-05(3)
- 2022-03(1)
- 2021-12(6)
- 2021-11(1)
- 2021-10(3)
- 2021-09(5)
- 2021-07(5)
- 2021-02(2)
- 2021-01(7)
- 2020-12(18)
- 2020-11(14)
- 2020-10(12)
- 2020-09(10)
- 2020-08(22)
- 2020-07(2)
- 2020-06(1)
- 2020-04(5)
- 2020-03(9)
- 2020-02(7)
- 2020-01(9)
- 2019-12(8)
- 2019-11(10)
- 2019-10(11)
- 2019-09(17)
- 2019-08(16)
- 2019-07(6)
- 2019-06(3)
- 2019-04(1)
- 2019-03(8)
- 2019-02(5)
- 2019-01(1)
- 2018-11(2)
- 2018-10(3)
- 2018-09(1)
- 2018-08(3)
- 2018-07(3)
- 2018-06(7)
- 2018-04(4)
- 2018-03(5)
- 2018-02(4)
- 2018-01(22)
- 2017-12(3)
- 2017-11(5)
- 2017-10(15)
- 2017-09(26)
- 2017-08(1)
- 2017-07(3)