3v4l.org

run code in 200+ php & hhvm versions
Bugs & Features
<?php function xss_clean($str){ // Remove all NULL bytes $str = str_replace("\0", '', $str); // Fix &entity\n; $str = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $str); $str = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $str); $str = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $str); $str = preg_replace('#(<[^>]+?;base64,.+>|<[^>]+?.+;base64,.+>.+<\/.+>)#','',$str); //$str = html_entity_decode($str, ENT_COMPAT, $charset); //org $str = html_entity_decode($str, ENT_COMPAT); // Remove any attribute starting with "on" or xmlns $str = preg_replace('#(?:on[a-z]+|xmlns)\s*=\s*[\'"\x00-\x20]?[^\'>"]*[\'"\x00-\x20]?\s?#iu', '', $str); // Remove javascript: and vbscript: protocols $str = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $str); $str = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $str); $str = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $str); // Only works in IE: $str = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#is', '$1>', $str); $str = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#is', '$1>', $str); $str = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#ius', '$1>', $str); // Remove namespaced elements (we do not need them) $str = preg_replace('#<!--*\w+:\w[^-->]*+>#i', '', $str); do{ // Remove really unwanted tags $old = $str; $str = preg_replace('#<!--*(?:applet|b(?:ase|gsound|link)|embed|ilayer|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^-->]*+>#i', '', $str); } while ($old !== $str); return $str; } $str = 'qwejlj<img src =x onerror=confirm(document.cookie);lol'; echo xss_clean($str);
based on lJfbg
Output for 4.3.2 - 7.2.0
qwejlj<img src =x
Output for 4.3.0 - 4.3.1

Process exited with code 139.