一个过虑xxs的代码
public static function removeXSS($str) { $str = str_replace('<!-- -->', '', $str); $str = preg_replace('~/*[ ]+*/~i', '', $str); $str = preg_replace('/\ {0,4}4[0-9a-f]/is', '', $str); $str = preg_replace('/\ {0,4}5[0-9a]/is', '', $str); $str = preg_replace('/\ {0,4}6[0-9a-f]/is', '', $str); $str = preg_replace('/\ {0,4}7[0-9a]/is', '', $str); $str = preg_replace('/�{0,8}[0-9a-f]{2};/is', '', $str); $str = preg_replace('/�{0,8}[0-9]{2,3};/is', '', $str); $str = preg_replace('/�{0,8}[0-9]{2,3};/is', '', $str); $str = htmlspecialchars($str); //$str = preg_replace('/</i', '<', $str); //$str = preg_replace('/>/i', '>', $str); // 非成对标签 $lone_tags = array("img", "param", "br", "hr"); foreach ($lone_tags as $key => $val) { $val = preg_quote($val); $str = preg_replace('/<' . $val . '(.*)(/?)>/isU', '<' . $val . "\1\2>", $str); $str = self::transCase($str); $str = preg_replace_callback('/<' . $val . '(.+?)>/i', create_function('$temp', 'return str_replace(""",""",$temp[0]);'), $str); } $str = preg_replace('/&/i', '&', $str); // 成对标签 $double_tags = array("table", "tr", "td", "font", "a", "object", "embed", "p", "strong", "em", "u", "ol", "ul", "li", "div", "tbody", "span", "blockquote", "pre", "b", "font"); foreach ($double_tags as $key => $val) { $val = preg_quote($val); $str = preg_replace('/<' . $val . '(.*)>/isU', '<' . $val . "\1>", $str); $str = self::transCase($str); $str = preg_replace_callback('/<' . $val . '(.+?)>/i', create_function('$temp', 'return str_replace(""",""",$temp[0]);'), $str); $str = preg_replace('/</' . $val . '>/is', '</' . $val . ">", $str); } // 清理js $tags = Array( 'javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'behaviour', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'font' ); foreach ($tags as $tag) { $tag = preg_quote($tag); $str = preg_replace('/' . $tag . '(.*)/isU', '\1', $str); $str = preg_replace('/' . $tag . 's*:/isU', $tag . ':', $str); } $str = preg_replace('/[s]+on[w]+[s]*=/is', '', $str); Return $str; }链接地址:https://github.com/sillydong/CZD_Yaf_Extension/blob/master/library/Tools.php
不错的yaf封闭mysql地址 https://github.com/jonsonxu/yaf