php xxs temizleme çok kaliteli ve işe yarar..
javascriptle bulaşacak tüm zararlı kodları temizler
bu siteden tüm testleri yapabilirsiniz
function xss_clean($str)
{
if (is_array($str) OR is_object($str))
{
foreach ($str as $k => $s)
{
$str[$k] = xss_clean($s);
}
return $str;
}
// Remove all NULL bytes
$str = str_replace("", '', $str);
// Fix &entityn;
$str = str_replace(array('&',''), array('&','<','>'), $str);
$str = preg_replace('/(*w+)[x00-x20]+;/u', '$1;', $str);
$str = preg_replace('/(*[0-9A-F]+);*/iu', '$1;', $str);
//$str = html_entity_decode($str, ENT_COMPAT, $charset); //org
$str = html_entity_decode($str, ENT_COMPAT);
// Remove any attribute starting with "on" or xmlns
$str = preg_replace('#(?:on[a-z]+|xmlns)s*=s*['"x00-x20]?[^'>"]*['"x00-x20]?s?#iu', '', $str);
// Remove javascript: and vbscript: protocols
$str = preg_replace('#([a-z]*)[x00-x20]*=[x00-x20]*([`'"]*)[x00-x20]*j[x00-x20]*a[x00-x20]*v[x00-x20]*a[x00-x20]*s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:#iu', '$1=$2nojavascript...', $str);
$str = preg_replace('#([a-z]*)[x00-x20]*=(['"]*)[x00-x20]*v[x00-x20]*b[x00-x20]*s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:#iu', '$1=$2novbscript...', $str);
$str = preg_replace('#([a-z]*)[x00-x20]*=(['"]*)[x00-x20]*-moz-binding[x00-x20]*:#u', '$1=$2nomozbinding...', $str);
// Only works in IE:
$str = preg_replace('#(]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?expression[x00-x20]*([^>]*+>#is', '$1>', $str);
$str = preg_replace('#(]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?behaviour[x00-x20]*([^>]*+>#is', '$1>', $str);
$str = preg_replace('#(]+?)style[x00-x20]*=[x00-x20]*[`'"]*.*?s[x00-x20]*c[x00-x20]*r[x00-x20]*i[x00-x20]*p[x00-x20]*t[x00-x20]*:*[^>]*+>#ius', '$1>', $str);
// Remove namespaced elements (we do not need them)
$str = preg_replace('#]*+>#i', '', $str);
do
{
// Remove really unwanted tags
$old = $str;
$str = preg_replace('#]*+>#i', '', $str);
}
while ($old !== $str);
return $str;
}