XSS的防御

基于代码修改的防御

和SQL注入防御一样，XSS攻击也是利用了Web页面的编写疏忽，所以还有一种方法就是从Web应用开发的角度来避免：

步骤1、对所有用户提交内容进行可靠的输入验证，包括对URL、查询关键字、HTTP头、POST数据等，仅接受指定长度范围内、采用适当格式、采用所预期的字符的内容提交，对其他的一律过滤。

步骤2、实现Session标记（session tokens）、CAPTCHA系统或者HTTP引用头检查，以防功能被第三方网站所执行。

步骤3、确认接收的的内容被妥善的规范化，仅包含最小的、安全的Tag（没有javascript），去掉任何对远程内容的引用（尤其是样式表和javascript），使用HTTP only的cookie。

当然，如上操作将会降低Web业务系统的可用性，用户仅能输入少量的制定字符，人与系统间的交互被降到极致，仅适用于信息发布型站点。并且考虑到很少有Web编码人员受过正规的安全培训，很难做到完全避免页面中的XSS漏洞（注 ）。

附上防御代码（不是我写的）： The goal of this function is to be a generic function that can be usedto parse almost any input and render it XSS safe. For more informationon  actual XSS attacks, check out http://ha.ckers.org/xss.html .  Another excellent site is the XSS Database which details each attack and how it works.

1. <? php
2. function RemoveXSS ( $val ) {
3. // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
4. // this prevents some character re-spacing such as <javascript>
5. // note that you have to handle splits with n, r, and t later since they *are* allowed in some inputs
6. $val = preg_replace ( ‘/([x00-x08,x0b-x0c,x0e-x19])/’ , ” , $val );
8. // straight replacements, the user should never need these since they’re normal characters
9. // this prevents like <IMG SRC=@avascript:alert(‘XSS’)>
10. $search = ‘abcdefghijklmnopqrstuvwxyz’ ;
11. $search .= ‘ABCDEFGHIJKLMNOPQRSTUVWXYZ’ ;
12. $search .= ‘1234567890!@#$%^&amp;*()’ ;
13. $search .= ‘~`&quot;;:?+/={}[]-_|’ ‘;
14. for ($i = 0; $i < strlen($search); $i++) {
15. // ;? matches the ;, which is optional
16. // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
18. // @ @ search for the hex values
19. $val = preg_replace(‘/(& amp ; #[xX]0{0,8}’.dechex(ord($search[$i])).’;?)/i’, $search[$i], $val); // with a ;
20. // @ @ 0{0,7} matches ’0′ zero to seven times
21. $val = preg_replace ( ‘/(&amp;#0{0,8}’ . ord ( $search [ $i ]). ‘;?)/’ , $search [ $i ], $val ); // with a ;
22. }
24. // now the only remaining whitespace attacks are t, n, and r
25. $ra1 = Array( ‘javascript’ , ‘vbscript’ , ‘expression’ , ‘applet’ , ‘meta’ , ‘xml’ , ‘blink’ , ‘link’ , ’style’ , ’script’ , ‘embed’ , ‘object’ , ‘iframe’ , ‘frame’ , ‘frameset’ , ‘ilayer’ , ‘layer’ , ‘bgsound’ , ‘title’ , ‘base’ );
26. $ra2 = Array( ‘onabort’ , ‘onactivate’ , ‘onafterprint’ , ‘onafterupdate’ , ‘onbeforeactivate’ , ‘onbeforecopy’ , ‘onbeforecut’ , ‘onbeforedeactivate’ , ‘onbeforeeditfocus’ , ‘onbeforepaste’ , ‘onbeforeprint’ , ‘onbeforeunload’ , ‘onbeforeupdate’ , ‘onblur’ , ‘onbounce’ , ‘oncellchange’ , ‘onchange’ , ‘onclick’ , ‘oncontextmenu’ , ‘oncontrolselect’ , ‘oncopy’ , ‘oncut’ , ‘ondataavailable’ , ‘ondatasetchanged’ , ‘ondatasetcomplete’ , ‘ondblclick’ , ‘ondeactivate’ , ‘ondrag’ , ‘ondragend’ , ‘ondragenter’ , ‘ondragleave’ , ‘ondragover’ , ‘ondragstart’ , ‘ondrop’ , ‘onerror’ , ‘onerrorupdate’ , ‘onfilterchange’ , ‘onfinish’ , ‘onfocus’ , ‘onfocusin’ , ‘onfocusout’ , ‘onhelp’ , ‘onkeydown’ , ‘onkeypress’ , ‘onkeyup’ , ‘onlayoutcomplete’ , ‘onload’ , ‘onlosecapture’ , ‘onmousedown’ , ‘onmouseenter’ , ‘onmouseleave’ , ‘onmousemove’ , ‘onmouseout’ , ‘onmouseover’ , ‘onmouseup’ , ‘onmousewheel’ , ‘onmove’ , ‘onmoveend’ , ‘onmovestart’ , ‘onpaste’ , ‘onpropertychange’ , ‘onreadystatechange’ , ‘onreset’ , ‘onresize’ , ‘onresizeend’ , ‘onresizestart’ , ‘onrowenter’ , ‘onrowexit’ , ‘onrowsdelete’ , ‘onrowsinserted’ , ‘onscroll’ , ‘onselect’ , ‘onselectionchange’ , ‘onselectstart’ , ‘onstart’ , ‘onstop’ , ‘onsubmit’ , ‘onunload’ );
27. $ra = array_merge ( $ra1 , $ra2 );
29. $found = true ; // keep replacing as long as the previous round replaced something
30. while ( $found == true ) {
31. $val_before = $val ;
32. for ($i = 0 ; $i < sizeof ( $ra ); $i ++) {
33. $pattern = ‘/’ ;
34. for ($j = 0 ; $j < strlen ( $ra [ $i ]); $j ++) {
35. if ($j > 0 ) {
36. $pattern .= ‘(‘ ;
37. $pattern .= ‘(&amp;#[xX]0{0,8}([9ab]);)’ ;
38. $pattern .= ‘|’ ;
39. $pattern .= ‘|(&amp;#0{0,8}([9|10|13]);)’ ;
40. $pattern .= ‘)*’ ;
41. }
42. $pattern .= $ra [ $i ][ $j ];
43. }
44. $pattern .= ‘/i’ ;
45. $replacement = substr ( $ra [ $i ], 0 , 2 ). ‘<x>’ . substr ( $ra [ $i ], 2 ); // add in <> to nerf the tag
46. $val = preg_replace ( $pattern , $replacement , $val ); // filter out the hex tags
47. if ( $val_before == $val ) {
48. // no replacements were made, so exit the loop
49. $found = false ;
50. }
51. }
52. }
53. return $val ;
54. }