php防御XSS攻击-PHP源码

function remove_xss($val) {
   // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
   // this prevents some character re-spacing such as// note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
   $val = preg_replace(&＃39;/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/&＃39;, &＃39;&＃39;, $val);

   // straight replacements, the user should never need these since they&＃39;re normal characters
   // this prevents like 
   $search = &＃39;abcdefghijklmnopqrstuvwxyz&＃39;;
   $search .= &＃39;ABCDEFGHIJKLMNOPQRSTUVWXYZ&＃39;;
   $search .= &＃39;1234567890!@#$%^&*()&＃39;;
   $search .= &＃39;~"`;:?+/={}[]-_|\&＃39;\\&＃39;;
   for ($i = 0; $i  0) {
               $pattern .= &＃39;(&＃39;;
               $pattern .= &＃39;(&＃[xX]0{0,8}([9ab]);)&＃39;;
               $pattern .= &＃39;|&＃39;;
               $pattern .= &＃39;|({0,8}([9|10|13]);)&＃39;;
               $pattern .= &＃39;)*&＃39;;
            }
            $pattern .= $ra[$i][$j];
         }
         $pattern .= &＃39;/i&＃39;;
         $replacement = substr($ra[$i], 0, 2).&＃39;&＃39;.substr($ra[$i], 2); // add in <> to nerf the tag
         $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
         if ($val_before == $val) {
            // no replacements were made, so exit the loop
            $found = false;
         }
      }
   }
   return $val;
}