【PHP】預防XSS攻擊

function stripslashes_gpc(&$value){ $value = stripslashes($value); $value = addslashes($value); $value = htmlspecialchars($value); //$value = htmlentities($value); $farr = array( "/\s /", //過濾多余的空白 "/<(\/?)(script|i?frame|style|html|body|title|link|meta|\?|\%)([^>]*?)>/isU", //過濾 <script "/(<[^>]*)on[a-zA-Z] \s*=([^>]*>)/isU", //過濾javascript的on事件 "/\%/" ); $tarr = array( " ", "＜\\1\\2\\3＞", //如果要直接清除不安全的標簽，這里可以留空 "\\1\\2", "" ); return $value = preg_replace( $farr,$tarr,$value); }

*單一變數 $a = stripslashes_gpc($a);
*陣列 array_walk_recursive($_POST, 'stripslashes_gpc');
*不適用網頁編輯器