如何允许HTML标记用于输入而不易受XSS攻击

最好使用正则表达式：

 <?php
$testStringA = '<b>I am a nice text without any evil characters</b>';
$testStringB = '<b onclick="alert(evil)">I am supposed to be evil. :) </b>';
$pattern = '/<b>[a-zA-z0-9 ]+<'/b>/';
if(preg_match($pattern, $testStringB)){
    // this will NOT execute
    echo "TeststringB matches our pattern";
}
if(preg_match($pattern, $testStringA)){
    echo "TeststringA matches our pattern";
}
?>

将输出

TeststringA matches our pattern

然而，上面的RegEx只允许使用a-z、a-z、0-9和空格（请参见方括号），您需要根据需要进行修改。

如果您正在使用Javascript：

正则表达式的好处是，在某种程度上，它们是可移植的。我用JavaScript重写了上面的代码，以演示它对您来说更容易理解：

var re = new RegExp("/<b>[a-zA-z0-9 ]+<'/b>/");
var testStringA = '<b>I am a nice text without any evil characters</b>';
var testStringB = '<b onclick="alert(evil)">I am supposed to be evil. :) </b>';
if(re.test(testStringA)){
    alert(testStringA);
}
if(re.test(testStringB)){
    alert(testStringB);
}

或者看下面的小提琴：http://jsfiddle.net/3hz42/

这个函数可能对某些人有帮助，它是一个从字符串中去除XSS属性的Javascript函数。

function strip_attr(e){
var r = e.replace(/(<[^>]+) onclick=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onfocus=".*?"/i,"$1");
r = r.replace(/(<[^>]+) ondblclick=".*?"/i,"$1");
r = r.replace(/(<[^>]+) style=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmousedown=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmouseout=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmouseover=".*?"/i,"$1");
r = r.replace(/(<[^>]+) onmouseup=".*?"/i,"$1");    
r = r.replace(/(<[^>]+) onclick=.*?/i,"$1");
r = r.replace(/(<[^>]+) onfocus=.*?/i,"$1");
r = r.replace(/(<[^>]+) ondblclick=.*?/i,"$1");
r = r.replace(/(<[^>]+) style=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmousedown=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmouseout=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmouseover=.*?/i,"$1");
r = r.replace(/(<[^>]+) onmouseup=.*?/i,"$1");
r = r.replace(/(<[^>]+) onclick='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onfocus='.*?'/i,"$1");
r = r.replace(/(<[^>]+) ondblclick='.*?'/i,"$1");
r = r.replace(/(<[^>]+) style='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmousedown='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmouseout='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmouseover='.*?'/i,"$1");
r = r.replace(/(<[^>]+) onmouseup='.*?'/i,"$1");
return r.replace(/(<[^>]+) class=".*?"/i,"$1").replace(/(<[^>]+) class='.*?'/i,"$1").replace(/(<[^>]+) class=.*?/i,"$1");
}

编辑
添加了安全的脚本的PHP变体

function strip_attr($e){
$r = preg_replace('/(<[^>]+) onclick=".*?"/i','$1',$e);
$r = preg_replace('/(<[^>]+) onfocus=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) ondblclick=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) style=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmousedown=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseout=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseover=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseup=".*?"/i','$1',$r);
$r = preg_replace('/(<[^>]+) onclick=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onfocus=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) ondblclick=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) style=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmousedown=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseout=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseover=.*?/i','$1',$r);
$r = preg_replace('/(<[^>]+) onmouseup=.*?/i','$1',$r);
$r = preg_replace("/(<[^>]+) onclick='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onfocus='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) ondblclick='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) style='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmousedown='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmouseout='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmouseover='.*?'/i","$1",$r);
$r = preg_replace("/(<[^>]+) onmouseup='.*?'/i","$1",$r);
return preg_replace("/(<[^>]+) class='.*?'/i","$1",$r);
}

输入并放入一个变量，比如：$output

$output = preg_replace('/(<[^>]+) onclick=".*?"/i', '$1', $input);

使用php函数strip_tags（）

Javascript：

document.getElementsByTagName("b")[0].removeAttribute("onclick");
document.getElementsByTagName("b")[0].removeAttribute("onfocus");