Ideone.com

download

copy

<?php
function RemoveXSS($val) {
   // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
   // this prevents some character re-spacing such as <java\0script>
   // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
   $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val);
 
   // straight replacements, the user should never need these since they're normal characters
   // this prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
   $search = 'abcdefghijklmnopqrstuvwxyz';
   $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
   $search .= '1234567890!@#$%^&*()';
   $search .= '~`";:?+/={}[]-_|\'\\';
   for ($i = 0; $i < strlen($search); $i++) {
      // ;? matches the ;, which is optional
      // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
 
      // &#x0040 @ search for the hex values
      $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
      // &#00064 @ 0{0,7} matches '0' zero to seven times
      $val = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
   }
 
   // now the only remaining whitespace attacks are \t, \n, and \r
   $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
   $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
   $ra = array_merge($ra1, $ra2);
 
   $found = true; // keep replacing as long as the previous round replaced something
   while ($found == true) {
      $val_before = $val;
      for ($i = 0; $i < sizeof($ra); $i++) {
         $pattern = '/';
         for ($j = 0; $j < strlen($ra[$i]); $j++) {
            if ($j > 0) {
               $pattern .= '(';
               $pattern .= '(&#[xX]0{0,8}([9ab]);)';
               $pattern .= '|';
               $pattern .= '|(&#0{0,8}([9|10|13]);)';
               $pattern .= ')*';
            }
            $pattern .= $ra[$i][$j];
         }
         $pattern .= '/i';
         $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag
         $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
         if ($val_before == $val) {
            // no replacements were made, so exit the loop
            $found = false;
         }
      }
   }
   return $val;
} echo RemoveXSS("a <b onabort &#X61 > helo"); ?>

PD9waHAKZnVuY3Rpb24gUmVtb3ZlWFNTKCR2YWwpIHsKICAgLy8gcmVtb3ZlIGFsbCBub24tcHJpbnRhYmxlIGNoYXJhY3RlcnMuIENSKDBhKSBhbmQgTEYoMGIpIGFuZCBUQUIoOSkgYXJlIGFsbG93ZWQKICAgLy8gdGhpcyBwcmV2ZW50cyBzb21lIGNoYXJhY3RlciByZS1zcGFjaW5nIHN1Y2ggYXMgPGphdmFcMHNjcmlwdD4KICAgLy8gbm90ZSB0aGF0IHlvdSBoYXZlIHRvIGhhbmRsZSBzcGxpdHMgd2l0aCBcbiwgXHIsIGFuZCBcdCBsYXRlciBzaW5jZSB0aGV5ICphcmUqIGFsbG93ZWQgaW4gc29tZSBpbnB1dHMKICAgJHZhbCA9IHByZWdfcmVwbGFjZSgnLyhbXHgwMC1ceDA4LFx4MGItXHgwYyxceDBlLVx4MTldKS8nLCAnJywgJHZhbCk7CiAgIAogICAvLyBzdHJhaWdodCByZXBsYWNlbWVudHMsIHRoZSB1c2VyIHNob3VsZCBuZXZlciBuZWVkIHRoZXNlIHNpbmNlIHRoZXkncmUgbm9ybWFsIGNoYXJhY3RlcnMKICAgLy8gdGhpcyBwcmV2ZW50cyBsaWtlIDxJTUcgU1JDPSYjWDQwJiNYNjEmI1g3NiYjWDYxJiNYNzMmI1g2MyYjWDcyJiNYNjkmI1g3MCYjWDc0JiNYM0EmI1g2MSYjWDZDJiNYNjUmI1g3MiYjWDc0JiNYMjgmI1gyNyYjWDU4JiNYNTMmI1g1MyYjWDI3JiNYMjk+CiAgICRzZWFyY2ggPSAnYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXonOwogICAkc2VhcmNoIC49ICdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWic7CiAgICRzZWFyY2ggLj0gJzEyMzQ1Njc4OTAhQCMkJV4mKigpJzsKICAgJHNlYXJjaCAuPSAnfmAiOzo/Ky89e31bXS1ffFwnXFwnOwogICBmb3IgKCRpID0gMDsgJGkgPCBzdHJsZW4oJHNlYXJjaCk7ICRpKyspIHsKICAgICAgLy8gOz8gbWF0Y2hlcyB0aGUgOywgd2hpY2ggaXMgb3B0aW9uYWwKICAgICAgLy8gMHswLDd9IG1hdGNoZXMgYW55IHBhZGRlZCB6ZXJvcywgd2hpY2ggYXJlIG9wdGlvbmFsIGFuZCBnbyB1cCB0byA4IGNoYXJzCiAgIAogICAgICAvLyAmI3gwMDQwIEAgc2VhcmNoIGZvciB0aGUgaGV4IHZhbHVlcwogICAgICAkdmFsID0gcHJlZ19yZXBsYWNlKCcvKCYjW3hYXTB7MCw4fScuZGVjaGV4KG9yZCgkc2VhcmNoWyRpXSkpLic7PykvaScsICRzZWFyY2hbJGldLCAkdmFsKTsgLy8gd2l0aCBhIDsKICAgICAgLy8gJiMwMDA2NCBAIDB7MCw3fSBtYXRjaGVzICcwJyB6ZXJvIHRvIHNldmVuIHRpbWVzCiAgICAgICR2YWwgPSBwcmVnX3JlcGxhY2UoJy8oJiMwezAsOH0nLm9yZCgkc2VhcmNoWyRpXSkuJzs/KS8nLCAkc2VhcmNoWyRpXSwgJHZhbCk7IC8vIHdpdGggYSA7CiAgIH0KICAgCiAgIC8vIG5vdyB0aGUgb25seSByZW1haW5pbmcgd2hpdGVzcGFjZSBhdHRhY2tzIGFyZSBcdCwgXG4sIGFuZCBccgogICAkcmExID0gQXJyYXkoJ2phdmFzY3JpcHQnLCAndmJzY3JpcHQnLCAnZXhwcmVzc2lvbicsICdhcHBsZXQnLCAnbWV0YScsICd4bWwnLCAnYmxpbmsnLCAnbGluaycsICdzdHlsZScsICdzY3JpcHQnLCAnZW1iZWQnLCAnb2JqZWN0JywgJ2lmcmFtZScsICdmcmFtZScsICdmcmFtZXNldCcsICdpbGF5ZXInLCAnbGF5ZXInLCAnYmdzb3VuZCcsICd0aXRsZScsICdiYXNlJyk7CiAgICRyYTIgPSBBcnJheSgnb25hYm9ydCcsICdvbmFjdGl2YXRlJywgJ29uYWZ0ZXJwcmludCcsICdvbmFmdGVydXBkYXRlJywgJ29uYmVmb3JlYWN0aXZhdGUnLCAnb25iZWZvcmVjb3B5JywgJ29uYmVmb3JlY3V0JywgJ29uYmVmb3JlZGVhY3RpdmF0ZScsICdvbmJlZm9yZWVkaXRmb2N1cycsICdvbmJlZm9yZXBhc3RlJywgJ29uYmVmb3JlcHJpbnQnLCAnb25iZWZvcmV1bmxvYWQnLCAnb25iZWZvcmV1cGRhdGUnLCAnb25ibHVyJywgJ29uYm91bmNlJywgJ29uY2VsbGNoYW5nZScsICdvbmNoYW5nZScsICdvbmNsaWNrJywgJ29uY29udGV4dG1lbnUnLCAnb25jb250cm9sc2VsZWN0JywgJ29uY29weScsICdvbmN1dCcsICdvbmRhdGFhdmFpbGFibGUnLCAnb25kYXRhc2V0Y2hhbmdlZCcsICdvbmRhdGFzZXRjb21wbGV0ZScsICdvbmRibGNsaWNrJywgJ29uZGVhY3RpdmF0ZScsICdvbmRyYWcnLCAnb25kcmFnZW5kJywgJ29uZHJhZ2VudGVyJywgJ29uZHJhZ2xlYXZlJywgJ29uZHJhZ292ZXInLCAnb25kcmFnc3RhcnQnLCAnb25kcm9wJywgJ29uZXJyb3InLCAnb25lcnJvcnVwZGF0ZScsICdvbmZpbHRlcmNoYW5nZScsICdvbmZpbmlzaCcsICdvbmZvY3VzJywgJ29uZm9jdXNpbicsICdvbmZvY3Vzb3V0JywgJ29uaGVscCcsICdvbmtleWRvd24nLCAnb25rZXlwcmVzcycsICdvbmtleXVwJywgJ29ubGF5b3V0Y29tcGxldGUnLCAnb25sb2FkJywgJ29ubG9zZWNhcHR1cmUnLCAnb25tb3VzZWRvd24nLCAnb25tb3VzZWVudGVyJywgJ29ubW91c2VsZWF2ZScsICdvbm1vdXNlbW92ZScsICdvbm1vdXNlb3V0JywgJ29ubW91c2VvdmVyJywgJ29ubW91c2V1cCcsICdvbm1vdXNld2hlZWwnLCAnb25tb3ZlJywgJ29ubW92ZWVuZCcsICdvbm1vdmVzdGFydCcsICdvbnBhc3RlJywgJ29ucHJvcGVydHljaGFuZ2UnLCAnb25yZWFkeXN0YXRlY2hhbmdlJywgJ29ucmVzZXQnLCAnb25yZXNpemUnLCAnb25yZXNpemVlbmQnLCAnb25yZXNpemVzdGFydCcsICdvbnJvd2VudGVyJywgJ29ucm93ZXhpdCcsICdvbnJvd3NkZWxldGUnLCAnb25yb3dzaW5zZXJ0ZWQnLCAnb25zY3JvbGwnLCAnb25zZWxlY3QnLCAnb25zZWxlY3Rpb25jaGFuZ2UnLCAnb25zZWxlY3RzdGFydCcsICdvbnN0YXJ0JywgJ29uc3RvcCcsICdvbnN1Ym1pdCcsICdvbnVubG9hZCcpOwogICAkcmEgPSBhcnJheV9tZXJnZSgkcmExLCAkcmEyKTsKICAgCiAgICRmb3VuZCA9IHRydWU7IC8vIGtlZXAgcmVwbGFjaW5nIGFzIGxvbmcgYXMgdGhlIHByZXZpb3VzIHJvdW5kIHJlcGxhY2VkIHNvbWV0aGluZwogICB3aGlsZSAoJGZvdW5kID09IHRydWUpIHsKICAgICAgJHZhbF9iZWZvcmUgPSAkdmFsOwogICAgICBmb3IgKCRpID0gMDsgJGkgPCBzaXplb2YoJHJhKTsgJGkrKykgewogICAgICAgICAkcGF0dGVybiA9ICcvJzsKICAgICAgICAgZm9yICgkaiA9IDA7ICRqIDwgc3RybGVuKCRyYVskaV0pOyAkaisrKSB7CiAgICAgICAgICAgIGlmICgkaiA+IDApIHsKICAgICAgICAgICAgICAgJHBhdHRlcm4gLj0gJygnOwogICAgICAgICAgICAgICAkcGF0dGVybiAuPSAnKCYjW3hYXTB7MCw4fShbOWFiXSk7KSc7CiAgICAgICAgICAgICAgICRwYXR0ZXJuIC49ICd8JzsKICAgICAgICAgICAgICAgJHBhdHRlcm4gLj0gJ3woJiMwezAsOH0oWzl8MTB8MTNdKTspJzsKICAgICAgICAgICAgICAgJHBhdHRlcm4gLj0gJykqJzsKICAgICAgICAgICAgfQogICAgICAgICAgICAkcGF0dGVybiAuPSAkcmFbJGldWyRqXTsKICAgICAgICAgfQogICAgICAgICAkcGF0dGVybiAuPSAnL2knOwogICAgICAgICAkcmVwbGFjZW1lbnQgPSBzdWJzdHIoJHJhWyRpXSwgMCwgMikuJzx4Picuc3Vic3RyKCRyYVskaV0sIDIpOyAvLyBhZGQgaW4gPD4gdG8gbmVyZiB0aGUgdGFnCiAgICAgICAgICR2YWwgPSBwcmVnX3JlcGxhY2UoJHBhdHRlcm4sICRyZXBsYWNlbWVudCwgJHZhbCk7IC8vIGZpbHRlciBvdXQgdGhlIGhleCB0YWdzCiAgICAgICAgIGlmICgkdmFsX2JlZm9yZSA9PSAkdmFsKSB7CiAgICAgICAgICAgIC8vIG5vIHJlcGxhY2VtZW50cyB3ZXJlIG1hZGUsIHNvIGV4aXQgdGhlIGxvb3AKICAgICAgICAgICAgJGZvdW5kID0gZmFsc2U7CiAgICAgICAgIH0KICAgICAgfQogICB9CiAgIHJldHVybiAkdmFsOwp9IGVjaG8gUmVtb3ZlWFNTKCJhIDxiIG9uYWJvcnQgJiNYNjEgPiBoZWxvIik7ID8+CiAKCgoK

Success #stdin #stdout 0.04s 13112KB

stdin

copy

Standard input is empty

stdout

copy

a <b on<x>abort a > helo

https://ideone.com/ax25u

language:

PHP (php 7.3.5)

created:

visibility:

public

Share or Embed source code

Discover > Sphere Engine API

The brand new service which powers Ideone!

Discover > IDE Widget

Widget for compiling and running the source code in a web browser!

Discover > Sphere Engine API

Discover > IDE Widget

Choose your language