/**
* 执行Xss filter
* @param string $string 字符
* @param array $allowedTags array('a'=>array()) 允许的标签
* @param array $allowedStyleProperties array('font-size','font-weight') 允许的属性
*/
public function filter($string, $allowedTags = array(), $allowedStyleProperties = array())
{
//非UTF8编码直接置空
if (!StringTool::isUTF8($string)) {
return '';
}
//设置tags
$this->setAllowedTags($allowedTags);
$this->setAllowedStyleProperties($allowedStyleProperties);
//去除结尾符
$string = str_replace(chr(0), '', $string);
//去除Netscape JS
$string = preg_replace('%&\\s*\\{[^}]*(\\}\\s*;?|$)%', '', $string);
//转义&
$string = str_replace('&', '&', $string);
//反转&
$string = preg_replace('/&#([0-9]+;)/', '&#\\1', $string);
$string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\\1', $string);
$string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\\1', $string);
//回调处理
return preg_replace_callback('%
(
<(?=[^a-zA-Z!/]) # a lone <
| # or
<!--.*?--> # a comment
| # or
<[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string
| # or
> # just a >
)%x', array($this, 'split'), $string);
}
