Filter HTML online editors to generate harmful code

Some powerful online editors already include code sorting and filtering functions, but js processing can be easily ignored. The server must filter again. It took a few days I took some time and wrote part of it. I hope it will be of some use to everyone. My ability is limited, so I would like to ask capable friends to complete it.



/*Array that does not require filtering*/
$htm_on=array(
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"font");

$htm_on_uper=array(
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"FONT");

/* Character format*/
$str=strtolower($str);
$str=preg_replace("//s+/", " ", $str);//Filter carriage return
$str=preg_replace ("/ +/", " ", $str);//Filter multiple spaces

/*Filter/replace several forms of js*/
$str=preg_replace("/(.*?)/si","",$str);//Delete <script>. . . </script>Format,
//$str=preg_replace("/(.*?)/si", "/1>//2/3>",$str);//Replace with something that can be displayed,

$str=preg_replace("//si","",$str);//Delete<script>unclosed<br/>//$str=preg_replace("/<(script.*?)>/si","&lt ;//1>",$str);//Replace unclosed<br/><br/>/*Delete/Replace form*/<br/>$str=preg_replace("/<(//?form.*? )>/si","",$str);//Delete form<br/>//$str=preg_replace("/<(//?form.*?)>/si","< //1>",$str);//Replacement form<br/><br/>$str=preg_replace("/<(i?frame.*?)>(.*?)<(//i ?frame.*?)>/si","",$str);//Delete frame<br/>//$str=preg_replace("/<(i?frame.*?)>(.* ?)<(//i?frame.*?)>/si","<//1>//2<//3>",$str);//Replace frame<br/><br/>/*Filter on events*/<br/>$str=preg_replace("/href=(.+?)([/"|/'| |>])/ie","'href='.strtoupper( '//1').'//2'",$str);//Convert the on involved in href= to uppercase. <br/>$str=str_replace($htm_on,$htm_on_uper,$str);/ /Replace <font,font> into uppercase, dhtml tag characters. Regular judgment is too cumbersome, so use conversion method <br/>$str=preg_replace("/(on[^ /.<>]+?)( [ |>])/s","//2",$str);//Remove the on event<br/><br/>/*Filter the js of the super connection*/<br/>$str=preg_replace(" /(href|src|background|url|dynsrc|expression|codebase)[=:/(]([ /"/']*?/w+/..*?|javascript|vbscript:[^>]*? )(/)?)([ >//])/si","//1='#' //3//4",$str);//Remove href=javascript:<br/><br/>//Return lowercase characters<br/>$str=strtolower($str);<br/>$str=str_replace("&","&",$str);</script>

The above is the detailed content of Filter HTML online editors to generate harmful code. For more information, please follow other related articles on the PHP Chinese website!