FILTER_SANITIZE_STRING正在剥离<字符及其后的任何文本 [英] FILTER_SANITIZE_STRING is stripping the < character and any text after it
问题描述
在变量(由人工输入填充)上使用FILTER_SANITIZE_STRING时,我遇到一个奇怪的问题.似乎删除了<字符以及此后的所有文本. >字符保持不变.
I have a strange problem when using FILTER_SANITIZE_STRING on a variable (populated by human input). It seems to strip the < character and any text that comes after that. The > character is left untouched.
我认为它认为<是需要剥离的HTML标记,但是在其后面没有结束标记,因此我不知道为什么会这样.有没有办法让它保留<到位,并且仍然消毒它应有的方式?
I assume it thinks the < is an HTML tag that needs to be stripped, however there is no closing tag behind it, so I haven't got a clue why it would behave like that. Is there a way to make it leave the < in place, and still sanitize the way it should?
推荐答案
根本问题是,当您使用FILTER_SANITIZE_STRING剥离HTML标记时,会将输入作为HTML进行处理.根据您的描述,您的输入是纯文本.因此,过滤器只能破坏输入数据,因为用户已经报告过.
The root issue is that when you use FILTER_SANITIZE_STRING to strip HTML tags you are handling your input as HTML. According to your description, your input is plain text. As such, the filter can only corrupt the input data, as users have already reported.
虽然这似乎是一种很流行的技术,但我从未理解将纯文本上的HTML标签剥离为消毒方法的概念.如果不是HTML,则无需关心HTML标记,其原因与您无需关心SQL关键字或命令行命令的原因相同.没什么,只是数据.
While it seems to be quite a popular technique, I've never understood the concept of striping HTML tags on plain text as sanitization method. If it isn't HTML you don't need to care about HTML tags, for the same reason that you don't need to care about SQL keywords or command line commands. It's nothing but data.
但是,当然,当您随后将字符串注入HTML时,您需要对其进行转义以确保:
But, of course, when you inject your string into HTML afterwards you need to escape it in order to ensure that:
- 您的数据按原样显示
- 结果仍然是有效的HTML
这就是为什么 htmlspecialchars()存在的原因.同样,在动态生成任何其他类型的代码时,您需要使用相应的转义机制:SQL,JavaScript,JSON ...
That's why htmlspecialchars() exists. Similarly, you need to use the corresponding escape mechanism when you dynamically generate any other kind of code: SQL, JavaScript, JSON...
这篇关于FILTER_SANITIZE_STRING正在剥离<字符及其后的任何文本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
