protected static function cleanTagInnerXSS( string $s ): string {
$st = self::escape( $s, 'tag' );
return preg_replace([
'/\\\\u?{?([a-f0-9]{4,}?)}?/mi',
'/\¼\/?\w*\¾\w*/mi',
'/\+ADw-\/?\w*\+AD4-\w*/mi',
'/:?e[\s]*x[\s]*p[\s]*r[\s]*e[\s]*s[\s]*s[\s]*i[\s]*o[\s]*n[\s]*(:|;|,)?\w*/mi',
'/l[\s]*i[\s]*v[\s]*e[\s]*s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t[\s]*(:|;|,)?\w*/mi',
'/j[\s]*a[\s]*v[\s]*a[\s]*s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t[\s]*(:|;|,)?\w*/mi',
'/j[\s]*s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t[\s]*(:|;|,)?\w*/mi',
'/b[\s]*e[\s]*h[\s]*a[\s]*v[\s]*i[\s]*o[\s]*r[\s]*(:|;|,)?\w*/mi',
'/v[\s]*b[\s]*s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t[\s]*(:|;|,)?\w*/mi',
'/v[\s]*b[\s]*s[\s]*(:|;|,)?\w*/mi',
'/e[\s]*c[\s]*m[\s]*a[\s]*s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t*(:|;|,)?\w*/mi',
'/b[\s]*i[\s]*n[\s]*d[\s]*i[\s]*n[\s]*g*(:|;|,)?\w*/mi',
'/\+\/v(8|9|\+|\/)?/mi',
'/\/*?%00*?\//m',
'/_#_#_/mi',
],
['&#x$1;', '', '', '', '', '', '', '', '', '', '', '', '', '', ''],
str_ireplace(
['\u0', ':', '&tab;', '&newline;'],
['\0', ':', '', ''],
self::hexToSymbols( $st ))
);
}
protected static function cleanXSS( string $s ): string {
$st = self::escape( $s, 'attr' );
return preg_replace([
'/\\\\u?{?([a-f0-9]{4,}?)}?/mi',
'/\*\w*\*/mi',
'/:?e[\s]*x[\s]*p[\s]*r[\s]*e[\s]*s[\s]*s[\s]*i[\s]*o[\s]*n[\s]*(:|;|,)?\w*/mi',
'/l[\s]*i[\s]*v[\s]*e[\s]*s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t[\s]*(:|;|,)?\w*/mi',
'/j[\s]*s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t[\s]*(:|;|,)?\w*/mi',
'/j[\s]*a[\s]*v[\s]*a[\s]*s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t[\s]*(:|;|,)?\w*/mi',
'/b[\s]*e[\s]*h[\s]*a[\s]*v[\s]*i[\s]*o[\s]*r[\s]*(:|;|,)?\w*/mi',
'/v[\s]*b[\s]*s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t[\s]*(:|;|,)?\w*/mi',
'/v[\s]*b[\s]*s[\s]*(:|;|,)?\w*/mi',
'/e[\s]*c[\s]*m[\s]*a[\s]*s[\s]*c[\s]*r[\s]*i[\s]*p[\s]*t*(:|;|,)?\w*/mi',
'/b[\s]*i[\s]*n[\s]*d[\s]*i[\s]*n[\s]*g*(:|;|,)?\w*/mi',
'/\+\/v(8|9|\+|\/)?/mi',
'/&{\w*}\w*/mi',
'/&#\d+;?/m',
'/x0{0,5}?3c;?/mi',
'/x0{0,5}?60;?/mi',
'/<?/mi',
'/</m',
'/%3c/mi',
'/\/?>/mi',
'/\¼\/?\w*\¾\w*/mi',
'/\+ADw-\/?\w*\+AD4-\w*/mi',
'/_#_#_/mi',
],
['&#x$1;', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', ''],
str_ireplace(
['\u0', ':', '&tab;', '&newline;'],
['\0', ':', '', ''],
self::hexToSymbols( $st ))
);
}