正在删除< script>标签 - PHP [英] Removing <script> tag - PHP

问题描述

如何更改< script>的所有匹配项<脚本> < SCRIPT> < SCRIPT>所以.. 到& lt; script& gt; & lt; Script& gt; with PHP

我也想删除

How to change all the occurrence of the <script> <Script> <scRipT> <sCrIpT> and so .. to <script> <Script> with PHP
I also want to remove

输入将取自一个WYSIWYG编辑器，所以我不能使用strip_tags函数。

The input will be taken from a WYSIWYG Editor, so i can not use the strip_tags function.

编辑2

有没有其他方式用户可以使用某种奇怪的字符执行javascript


我在互联网上找到了这个

Edit 2
Is there any other way a user can execute a javascript with some kind of strange characters to
I found this on internet

<scr<!--*-->ipt>
alert('hi')
</script>

但它没有用，有没有这样的可能性？

But it did not worked though, is there any such possibilities ?

推荐答案

对于不区分大小写的替换，可能最简单的方法是 str_ireplace（），但这不会保留sCriPt字样的情况。但是如果你想要解决XSS攻击可能会很好：

Probably the simplest method would be str_ireplace() for case-insensitive replacement, however this won't preserve the case of the "sCriPt" word. But if you're out to de-fang XSS attacks that may be just fine:

str_ireplace("<script>", "&lt;script&gt;", $input);

可以使用 preg_replace（）保留案例，但速度会慢一些。这可能有用，但如果是我，我会使用 str_ireplace（） ...

A more complex solution could be devised with preg_replace() to preserve case, but would be slower. This might work, but if it were me I'd use str_ireplace()...

preg_replace("/<(script)>/i", "&lt;$1&gt;", $input);

注意：如果是XSS预防，那么你也不会这些考虑了诸如< script type = text / javascript> 之类的内容。要真正处理这些情况，您需要将HTML字符串加载到 DOMDocument 中并删除有问题的脚本节点。

Note: If it is XSS prevention you're after, neither of these takes into account things like <script type=text/javascript>. To truly handle these cases, you need to load the HTML string into DOMDocument and delete the offending script nodes.

这篇关于正在删除< script>标签 - PHP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！