php clear_xss2
function clear_xss2($val, $extratags=array()) {// version 2 of clear xss2 which allows to keep all valid html tags but removing dangerous html tags
$doc = new DOMDocument();
// load the HTML string we want to strip
libxml_use_internal_errors(true);
$doc->loadHTML($val);
// remove comments
$xpath = new DOMXPath($doc);
foreach ($xpath->query('//comment()') as $comment) {
$comment->parentNode->removeChild($comment);
}
$forbiddenTags = array('script','applet', 'iframe', 'frameset', 'frame','object','embed');
if(!empty($extratags))
$forbiddenTags = array_merge($forbiddenTags, $extratags);
foreach($forbiddenTags as $tag) {
while (($r = $doc->getElementsByTagName($tag)) && $r->length) {
$r->item(0)->parentNode->removeChild($r->item(0));
}
}
// we need to remove js on events on any tags
$nodes = $doc->getElementsByTagName('*');
for($c = 0; $c<$nodes->length; $c++){
$node = $nodes->item($c);
foreach($node->attributes as $k => $v){
if( substr($k, 0, 2)=='on' ){
$node->removeAttribute($k);
}
}
}
libxml_clear_errors();
return $doc->saveHTML();
}
页:
[1]