尝试去除字符：/和\\

Question

I am having issues trying to strip / and \\ characters. When i try to strip using \\\\ it strips \\ but when I try /// it doesn't strip / at all.

function stripinname( $text )
{
$text = preg_replace(
    array(
        '/\|/','/\"/','/\</','/\>/','/\s[\s]+/','/^[\-]+/','/[\-]+$/','/\%/','/\\\\/','/\////','/\@/','/\&/','/\:/','/\;/','/\-/',
        '@<head[^>]*?>.*?</head>@siu',
        '@<style[^>]*?>.*?</style>@siu',
        '@<script[^>]*?.*?</script>@siu',
        '@<object[^>]*?.*?</object>@siu',
        '@<embed[^>]*?.*?</embed>@siu',
        '@<applet[^>]*?.*?</applet>@siu',
        '@<noframes[^>]*?.*?</noframes>@siu',
        '@<noscript[^>]*?.*?</noscript>@siu',
        '@<noembed[^>]*?.*?</noembed>@siu',
      // Add line breaks before and after blocks
        '@</?((address)|(blockquote)|(center)|(del))@iu',
        '@</?((div)|(h[1-9])|(ins)|(isindex)|(p)|(pre))@iu',
        '@</?((dir)|(dl)|(dt)|(dd)|(li)|(menu)|(ol)|(ul))@iu',
        '@</?((table)|(th)|(td)|(caption))@iu',
        '@</?((form)|(button)|(fieldset)|(legend)|(input))@iu',
        '@</?((label)|(select)|(optgroup)|(option)|(textarea))@iu',
        '@</?((frameset)|(frame)|(iframe))@iu',
    ),
    array(
        ' ',' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ',"$0", "$0", "$0", "$0", "$0", "$0","$0", "$0",), $text );

// you can exclude some html tags here, in this case B and A tags        
return strip_tags($text);
}

Answer 1

Don't do this.

Did you know MSIE supports javascript loading from CSS using behavior:url() ? Did you know we can execute javascript: urls in <img> tags?

Use someone else's HTML sanitizer; HTML Purifier is all right- it has lots of users, and whenever someone finds a bug in it, it gets fixed, and everyone using it benefits.

Whereas any bugs in your code (like the one I'm looking at right now) will only be fixed if you find it.

I will find a way in.

I always do.

Edit:

The reason your code doesn't work is that you don't understand it. Not understanding your program in areas like this is where security-related problems come from. Since you have decided I'm just "posting like a big shot", you're ignoring my advice. By doing so, you do a disservice to the entire software developer/engineer industry:

1. You don't understand regular expressions; ,/, matches slashes.
2. You don't understand how PHP's preg_replace() actually matches regular expressions: To match all slashes, you need to match them globally, as in ,/,g
3. You don't understand that the / will appear legitimately inside an HTML tag. By replacing it as you have, I can actually create HTML tags that you're attempting to strip.
4. You think strip_tags() does what it says on the tin. It doesn't.
5. You've miscounted your arguments. Some of the things you think you are splitting are just getting replaced with themselves.
6. You're not checking for errors. preg_replace() can return NULL .

You've got so much hubris; you think you've mastered the secrets of this great gig which just involve asking questions on stackoverflow and copying/pasting examples from the PHP wiki. You need to stop this . Writing bug-free programs involves understanding every word, and while I'm happy to help you learn how to do this, I'm going to have to insist that you behave responsibly.

You should have the ethical sense to avoid writing the code you aren't yet experienced enough to write.

Go get these kinds of routines from a reputable source, and learn from other people's mistakes; Your clients/employers/etc do not deserve your bugs; our industry does not deserve this kind of bullshit.