Like publishing articles, the content obtained through the editor generally have P, IMG and other HTML tags, such content is not straip_tags to filter. The general editor automatically escapes HTML tags, but an attacker could bypass the editor and wonder if such content needs filtering, and if so, how to filter it?
Reply content:
Like publishing articles, the content obtained through the editor generally have P, IMG and other HTML tags, such content is not straip_tags to filter. The general editor automatically escapes HTML tags, but an attacker could bypass the editor and wonder if such content needs filtering, and if so, how to filter it?
The simplest and most brutal way to defend against XSS attacks is to use Htmlspecialchars to replace special characters ( &,",',<,>
) with HTML entities ( &"'<>
). The most complicated way to defend against XSS attacks is to write regular filters yourself, but fortunately there are htmlpurifier libraries, In addition to filtering the XSS code, you can also complete or remove incomplete tags.
purify($html);