/** * 执行Xss filter * @param string $string 字符 * @param array $allowedTags array('a'=>array()) 允许的标签 * @param array $allowedStyleProperties array('font-size','font-weight') 允许的属性 */ public function filter($string, $allowedTags = array(), $allowedStyleProperties = array()) { //非UTF8编码直接置空 if (!StringTool::isUTF8($string)) { return ''; } //设置tags $this->setAllowedTags($allowedTags); $this->setAllowedStyleProperties($allowedStyleProperties); //去除结尾符 $string = str_replace(chr(0), '', $string); //去除Netscape JS $string = preg_replace('%&\\s*\\{[^}]*(\\}\\s*;?|$)%', '', $string); //转义& $string = str_replace('&', '&', $string); //反转& $string = preg_replace('/&#([0-9]+;)/', '&#\\1', $string); $string = preg_replace('/&#[Xx]0*((?:[0-9A-Fa-f]{2})+;)/', '&#x\\1', $string); $string = preg_replace('/&([A-Za-z][A-Za-z0-9]*;)/', '&\\1', $string); //回调处理 return preg_replace_callback('% ( <(?=[^a-zA-Z!/]) # a lone < | # or <!--.*?--> # a comment | # or <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string | # or > # just a > )%x', array($this, 'split'), $string); }