function htmldecode($str) { if(empty($str)) return; if($str=="") return $str; $str=str_replace("&",chr(34),$str); $str=str_replace(">",">",$str); $str=str_replace("<","<",$str); $str=str_replace("&","&",$str); $str=str_replace(" ",chr(32),$str); $str=str_replace(" ",chr(9),$str); $str=str_replace("'",chr(39),$str); $str=str_replace("<br />",chr(13),$str); $str=str_replace("''","'",$str); $str=str_replace("select","select",$str); $str=str_replace("join","join",$str); $str=str_replace("union","union",$str); $str=str_replace("where","where",$str); $str=str_replace("insert","insert",$str); $str=str_replace("delete","delete",$str); $str=str_replace("update","update",$str); $str=str_replace("like","like",$str); $str=str_replace("drop","drop",$str); $str=str_replace("create","create",$str); $str=str_replace("modify","modify",$str); $str=str_replace("rename","rename",$str); $str=str_replace("alter","alter",$str); $str=str_replace("cas","cast",$str); $farr = array( "//s+/" , //过滤多余的空白 "/<(//?)(img|script|i?frame|style|html|body|title|link|meta|/?|/%)([^>]*?)>/isU" , //过滤 <script 防止引入恶意内容或恶意代码,如果不需要插入flash等,还可以加入<object的过滤 "/(<[^>]*)on[a-zA-Z]+/s*=([^>]*>)/isU" , //过滤javascript的on事件 ); $tarr = array( " " , "<//1//2//3>" , //如果要直接清除不安全的标签,这里可以留空 "//1//2" , ); $str = preg_replace ( $farr , $tarr , $str ); return $str; } 网上找的,本人太懒了,直接可以用。