防御XSS攻击,最简单粗暴的做法就是用htmlspecialchars把特殊字符(&,",',<,>
)替换为HTML实体(&"'<>
)后输出.防御XSS攻击,最复杂的做法就是自己写正则过滤,不过还好有HTMLPurifier库,除了能过滤XSS代码,还能把不完整的标签补全或者去掉.
<?php
# http://htmlpurifier.org/download
require dirname(__FILE__).'/htmlpurifier/library/HTMLPurifier.auto.php';
$purifier = new HTMLPurifier();
echo $purifier->purify($html);