1.编辑器使用 提取的校内网的编辑器
2.过滤成安全的HTML代码:
PHP
function h($text){
$text = trim($text);
$text = stripslashes($text);
//完全过滤注释
$text = preg_replace('/<!--?.*-->/','',$text);
//完全过滤动态代码
$text = preg_replace('/</?|/?>/','',$text);
//完全过滤js
$text = preg_replace('/<script?.*//script>/','',$text);
$text = str_replace('[','[',$text);
$text = str_replace(']',']',$text);
$text = str_replace('|','|',$text);
//过滤换行符
$text = preg_replace('//r?/n/','',$text);
//br
$text = preg_replace('/<br(/s//)?>/i','[br]',$text);
$text = preg_replace('/(/[br/]/s*){10,}/i','[br]',$text);
//hr img area input
$text = preg_replace('/<(hr|img|input|area|isindex)( [^></[/]]*)>/i','[/1/2]',$text);
//过滤多余html
$text = preg_replace('/<//?(html|head|meta|link|base|body|title|style|script|form|iframe|frame|frameset)[^><]*>/i','',$text);
//过滤on事件lang js
while(preg_match('/(<[^><]+)( lang|onfinish|onmouse|onexit|onerror|onclick|onkey|onload|onchange|onfocus|onblur)[^><]+/i',$text,$mat)){
$text=str_replace($mat[0],$mat[1],$text);
}
while(preg_match('/(<[^><]+)(window/.|javascript:|js:|about:|file:|document/.|vbs:|cookie)([^><]*)/i',$text,$mat)){
$text=str_replace($mat[0],$mat[1].$mat[3],$text);
}
//过滤合法的html标签
while(preg_match('/<([a-z]+)[^></[/]]*>[^><]*<///1>/i',$text,$mat)){
$text=str_replace($mat[0],str_replace('>',']',str_replace('<','[',$mat[0])),$text);
}
//转换引号
while(preg_match('/(/[[^/[/]]*=/s*)(/"|/')([^/2=/[/]]+)/2([^/[/]]*/])/i',$text,$mat)){
$text=str_replace($mat[0],$mat[1].'|'.$mat[3].'|'.$mat[4],$text);
}
//过滤错误的单个引号
while(preg_match('//[[^/[/]]*(/"|/')[^/[/]]*/]/i',$text,$mat)){
$text=str_replace($mat[0],str_replace($mat[1],'',$mat[0]),$text);
}
//转换其它所有不合法的 < >
$text = str_replace('<','<',$text);
$text = str_replace('>','>',$text);
$text = str_replace('"','"',$text);
//反转换
$text = str_replace('[','<',$text);
$text = str_replace(']','>',$text);
$text = str_replace('|','"',$text);
//过滤多余空格
$text = str_replace(' ',' ',$text);
return $text;
}
javascript
function HtmlFilter(html){
html = html.replace(/<script.*?//script[/s]*>/ig, ' ');
html = html.replace(/<style.*?//style[/s]*>/ig, ' ');
html = html.replace(/<iframe.*?//iframe[/s]*>/ig, ' ');
html = html.replace(/<[//]?div.*?>/ig, ' ');
html = html.replace(/<[//]?form.*?>/ig, ' ');
html = html.replace(/[/s]+on[/w]+[/s]*=[/s]*(?:/'[^/']*/'|/"[^/"]*/"|[^/s]*)/ig, ' ') ;
html = html.replace(/[/s]+([/w]+)[/s]*=[/s]*(?:/'[/s]*javascript.*?/'|/"[/s]*javascript.*?/"|[/s]*javascript.*?[/s]*)/ig, ' $1=""');
html = html.replace(/<a (.*?)>/ig, '<a $1 target="_blank">');
return html;
}
两个 iframe 的嵌套
<td>
<textarea name="recontent" style="display:none"></textarea>
<iframe id="Editor" name="Editor" src="zEditor/htmltool.htm?id=recontent&height=200" frameborder="0" marginheight="0" marginwidth="0" scrolling="No" style="width: 100%; height: 200px;"></iframe>
</td>
</tr>
<script type="text/javascript">
<!--
if (static_data['STAR']) {
document.writeln('<tr><td><iframe ID="Upload" name="Upload" src="upload.php?fid=207" frameBorder="0" marginHeight="0" marginWidth="0" scrolling="No" style="width: 100%; height: 30px;"></iframe></td></tr>');
}
//-->
</script>
<tr>
<script type="text/javascript">
function checkF(form) {
if (form.elements['myfile'].value == "") {
alert('文件名不能为空!');
form.elements['myfile'].focus();
return false;
}
return true;
}
function insertImg(src) {
window.parent.frames['Editor'].window.frames['HtmlEditor'].document.body.innerHTML += '<IMG src="' + src + '">';
window.parent.frames['Editor'].SaveContent();
}
</script>