正在删除< script>标签 - PHP [英] Removing <script> tag - PHP
问题描述
如何更改< script>的所有匹配项<脚本> < SCRIPT> < SCRIPT>所以..
到& lt; script& gt; & lt; Script& gt;
with PHP
我也想删除
How to change all the occurrence of the <script> <Script> <scRipT> <sCrIpT> and so ..
to <script> <Script>
with PHP
I also want to remove
输入将取自一个WYSIWYG编辑器,所以我不能使用strip_tags函数。
The input will be taken from a WYSIWYG Editor, so i can not use the strip_tags function.
编辑2
有没有其他方式用户可以使用某种奇怪的字符执行javascript
我在互联网上找到了这个
Edit 2
Is there any other way a user can execute a javascript with some kind of strange characters to
I found this on internet
<scr<!--*-->ipt>
alert('hi')
</script>
但它没有用,有没有这样的可能性?
But it did not worked though, is there any such possibilities ?
推荐答案
对于不区分大小写的替换,可能最简单的方法是 str_ireplace()
,但这不会保留sCriPt字样的情况。但是如果你想要解决XSS攻击可能会很好:
Probably the simplest method would be str_ireplace()
for case-insensitive replacement, however this won't preserve the case of the "sCriPt" word. But if you're out to de-fang XSS attacks that may be just fine:
str_ireplace("<script>", "<script>", $input);
可以使用 preg_replace()$ c设计更复杂的解决方案$ c>保留案例,但速度会慢一些。这可能有用,但如果是我,我会使用
str_ireplace()
...
A more complex solution could be devised with preg_replace()
to preserve case, but would be slower. This might work, but if it were me I'd use str_ireplace()
...
preg_replace("/<(script)>/i", "<$1>", $input);
注意:如果是XSS预防,那么你也不会这些考虑了诸如< script type = text / javascript>
之类的内容。要真正处理这些情况,您需要将HTML字符串加载到 DOMDocument
中并删除有问题的脚本节点。
Note: If it is XSS prevention you're after, neither of these takes into account things like <script type=text/javascript>
. To truly handle these cases, you need to load the HTML string into DOMDocument
and delete the offending script nodes.
这篇关于正在删除< script>标签 - PHP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!