从HTML标签中删除* JS事件属性 [英] Remove on* JS event attributes from HTML tags

问题描述

请帮忙解析PHP简单的html字符串（php regexp）。
我需要从html代码中删除html-js事件。
我知道php正则表达式非常糟糕。

Please, help to parse in PHP simple html strings (php regexp). I need drop html-js events from html code. I know php regular expressions very bad.

代码示例：

< button onclick =.. javascript instruction ..>

结果： < button>

< button onclick =.. javascript instruction .. =..>

结果： < button value = ..>

< button onclick = .. javascript指令..>

结果： < button>

< button onclick = .. javascript指令..值>

结果： <按钮值>

因为所有现代浏览器都允许在没有quoutes的情况下执行属性。

I need to do this without quotes and with, because all modern browsers is allow to do attributes without quoutes.

注意：我不需要解析，只能在...上，它都是atrributes ，从'开'开始。

Note: I nedd parse not only onclick.. it is all atrributes, which begins from 'on'.

注意（2）：不要暗示HTML PARSER，因为它将是非常大的树木。

Note (2): DONT TRY TO ADVICE HTML PARSER, BECAUSE IT WILL BE VERY BIG DOM TREE FOR PARSE..

更新：感谢您的回复！现在，我使用HTMLPurifier组件由我写的一个小框架。

UPDATED: Thanks, for your reply! Now, i use HTMLPurifier component on written by me a small framework.

推荐答案

使用正则表达式进行标记化没有错误。但是使用正则表达式创建一个完整的HTML标记器是很多工作，很难正确。我建议使用一个正确的解析器，因为您可能需要删除脚本标签等等。

There is nothing wrong with tokenizing with regex. But making a full HTML tokenizer with regex is a lot of work and difficult to get right. I would recommend using a proper parser, because you will probably need to remove script tags and such anyway.

假设不需要一个完整的符号分析器，以下可以使用正则表达式和代码从HTML标签中删除* 属性上的。
因为没有使用正确的tokenizer，它会匹配字符串，甚至在脚本，注释，CDATA等中看起来像标签。

Assuming a full tokenizer is not needed, the following regex and code can be used to remove on* attributes from HTML tags. Because a proper tokenizer is not used, it would match strings that look like tags even in scripts, comments, CDATA, etc.

不保证所有输入/浏览器组合都会删除所有事件属性！请参阅下面的注释。

关于错误容忍的注意事项：

浏览器通常会宽恕错误。
由于当无效数据存在时，很难标记标签并获取属性，因为浏览器会看到它们。
由于错误容忍和处理在浏览器之间是不同的，所以在所有情况下都不可能制定一个适用于这些解决方案的解决方案。

Browsers are usually forgiving of errors. Due to that it is difficult to tokenize tags and get the attributes as the browser would see them when "invalid" data is present. Because error tolerance and handling differs between browsers it is impossible to make a solution that works for them all in all cases.

因此：某些浏览器（当前，过去或将来的版本）可以处理我的代码不认为是标签的标签，并执行JS代码。

Thus: Some browser(s) (current, past, or future version) could treat something which my code does not think is a tag, as a tag, and execute the JS code.

在我的代码中，我尝试模拟最近Google Chrome版本的标签（和容错/处理）的标记。
Firefox似乎以类似的方式执行。

In my code I have attempted to mimic tokenization of tags (and error tolerance/handling) of recent Google Chrome versions. Firefox seems to do it in a similar way.

IE 7有所不同，在某些情况下它不如宽容（这比更宽容更好） ）。
（IE 6 - 不要去那里，请参阅 XSS过滤器回避作弊表）

IE 7 differs, in some cases it's not as tolerant (which is better than if it was more tolerant). (IE 6 - lets not go there. See XSS Filter Evasion Cheat Sheet)

相关链接：

Relevant links:

• HTML5令牌化


• XSS筛选器回避作弊表

• HTML5 Tokenization
• XSS Filter Evasion Cheat Sheet

$redefs = '(?(DEFINE)
    (?<tagname> [a-z][^\s>/]*+    )
    (?<attname> [^\s>/][^\s=>/]*+    )  # first char can be pretty much anything, including =
    (?<attval>  (?>
                    "[^"]*+" |
                    \'[^\']*+\' |
                    [^\s>]*+            # unquoted values can contain quotes, = and /
                )
    ) 
    (?<attrib>  (?&attname)
                (?: \s*+
                    = \s*+
                    (?&attval)
                )?+
    )
    (?<crap>    [^\s>]    )             # most crap inside tag is ignored, will eat the last / in self closing tags
    (?<tag>     <(?&tagname)
                (?: \s*+                # spaces between attributes not required: <b/foo=">"style=color:red>bold red text</b>
                    (?>
                        (?&attrib) |    # order matters
                        (?&crap)        # if not an attribute, eat the crap
                    )
                )*+
                \s*+ /?+
                \s*+ >
    )
)';


// removes onanything attributes from all matched HTML tags
function remove_event_attributes($html){
    global $redefs;
    $re = '(?&tag)' . $redefs;
    return preg_replace("~$re~xie", 'remove_event_attributes_from_tag("$0")', $html);
}

// removes onanything attributes from a single opening tag
function remove_event_attributes_from_tag($tag){
    global $redefs;
    $re = '( ^ <(?&tagname) ) | \G \s*+ (?> ((?&attrib)) | ((?&crap)) )' . $redefs;
    return preg_replace("~$re~xie", '"$1$3"? "$0": (preg_match("/^on/i", "$2")? " ": "$0")', $tag);
}

在线示例：

$str = '
<button onclick="..javascript instruction..">
<button onclick="..javascript instruction.." value="..">
<button onclick=..javascript_instruction..>
<button onclick=..javascript_instruction.. value>
<hello word "" ontest = "hai"x="y"onfoo=bar/baz  />
';

echo $str . "\n----------------------\n";

echo remove_event_attributes($str);

输出：

<button onclick="..javascript instruction..">
<button onclick="..javascript instruction.." value="..">
<button onclick=..javascript_instruction..>
<button onclick=..javascript_instruction.. value>
<hello word "" ontest = "hai"x="y"onfoo=bar/baz  />

----------------------

<button >
<button  value="..">
<button >
<button  value>
<hello word "" x="y"   />

这篇关于从HTML标签中删除* JS事件属性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！