过滤在线编辑器产生的不安全html代码.

  <?php   
  /**   
    *   过滤在线编辑器产生的不安全html代码.   
    *   
    *   PHP   versions   4   and   5   
    *   
    *   @copyright         版权所无，任意传播.   
    *   @link                   http://www.52sunny.net   
    *   @name                   html过滤     
    *   @version             v   0.0.10   
    *   @author               Lucklrj   (sunny_lrj@yeah.net,qq:7691272)   
    *   @lastmodified   2006-06-09   10:42   (Tue,   2006-06-09)     
    *   @notice               此版本只过滤js,框架，表单。   
                                    作者能力有限，使用本程序若产生任何安全问题，与本人无关。   
    欢迎来信与我交流。   
    */   
  $str="<tr><td   bgcolor='#FFFFFF'>   
  <div   style='url(123.offsetWidth)>";   
  //$str="url(javascript:x)";   
    
  /*不需要过滤的数组*/   
  $htm_on=array(   
  "<acronym","acronym>",   
  "<baseFont","baseFont>",   
  "<button","button>",   
  "<caption","caption>",   
  "<clientInformation","clientInformation>",   
  "<font","font>",   
  "<implementation","implementation>",   
  "<button","button>",   
  "<location","location>",   
  "<option","option>",   
  "<selection","selection>",   
  "<strong","strong>");   
    
  $htm_on_uper=array(   
  "<ACRONYM","ACRONYM>",   
  "<BASEFONT","BASEFONT>",   
  "<BUTTON","BUTTON>",   
  "<CAPTION","CAPTION>",   
  "<CLIENTINFORMATION","CLIENTINFORMATION>",   
  "<FONT","FONT>",   
  "<IMPLEMENTATION","IMPLEMENTATION>",   
  "<BUTTON","BUTTON>",   
  "<LOCATION","LOCATION>",   
  "<OPTION","OPTION>",   
  "<SELECTION","SELECTION>",   
  "<STRONG","STRONG>");   
    
  /*字符格式*/   
  $str=strtolower($str);   
  $str=preg_replace("/s+/",   "   ",   $str);//过滤回车   
  $str=preg_replace("/   +/",   "   ",   $str);//过滤多个空格   
    
  /*过滤/替换几种形式的js*/   
  $str=preg_replace("/<(script.*?)>(.*?)<(/script.*?)>/si","",$str);//删除<script>。。。</script>格式，   
  //$str=preg_replace("/<(script.*?)>(.*?)<(/script.*?)>/si","&lt;/1&gt;/2&lt;/3&gt;",$str);//替换为可以显示的，   
    
  $str=preg_replace("/<(script.*?)>/si","",$str);//删除<script>未封闭   
  //$str=preg_replace("/<(script.*?)>/si","&lt;/1&gt;",$str);//替换未封闭   
    
  /*删除/替换表单*/   
  $str=preg_replace("/<(/?form.*?)>/si","",$str);//删除表单   
  //$str=preg_replace("/<(/?form.*?)>/si","&lt;/1&gt;",$str);//替换表单   
    
  $str=preg_replace("/<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si","",$str);//删除框架   
  //$str=preg_replace("/<(i?frame.*?)>(.*?)<(/i?frame.*?)>/si","&lt;/1&gt;/2&lt;/3&gt;",$str);//替换框架   
    
  /*过滤on事件*/   
  $str=preg_replace("/href=(.+?)(["|'|   |>])/ie","'href='.strtoupper('/1').'/2'",$str);//把href=涉及到的on转换为大写。   
  $str=str_replace($htm_on,$htm_on_uper,$str);//把<font,font>换为大写,dhtml标签字符，正则判断太烦琐，采用转换办法。   
  $str=preg_replace("/(on[^   .<>]+?)([   |>])/s","/2",$str);//取掉on事件   
    
  /*过滤超级连接的js*/   
  $str=preg_replace("/(href|src|background|url|dynsrc|expression|codebase)[=:(]([   "']*?w+..*?|javascript|vbscript:[^>]*?)()?)([   >/])/si","/1='#'   /3/4",$str);//取掉href=javascript:   
    
  //返回小写字符   
  $str=strtolower($str);   
  $str=str_replace("&","&#x26;",$str);   
  echo   $str;   
  ?>