防止将 HTML 数据发布到表单文本框中 [英] Prevent HTML data from being posted into form textboxes
问题描述
我正在使用 PHP 制作一个 Web 应用程序,其中我有一个表单,可以将条目输入 MySQL 数据库,然后将其显示在另一个网页上.但问题是表单中的文本框倾向于接受 HTML 内容,使应用程序容易受到 XSS 黑客攻击.在网页中显示之前,如何将 HTML 转换为纯文本.
I'm making a web application using PHP in where I have a form that makes entries into a MySQL database and later displays it on another webpage. But the problem is that the text boxes in the form tend to accept HTML content making the application vulnerable to XSS hacks. How do I convert HTML to plain text before I display it in the webpage.
如果我没有提供任何信息,请随时提问.
- - - - - - - - - - - - - - - - - - - -(更新) - - - ---------------------------------
很多小伙伴都建议使用htmlspecialchars,但在这种情况下,如果我要允许用户使用超链接引用其他页面,我该怎么做?
Please feel free to ask questions in case I lack providing any information.
---------------------------------------(UPDATE)----------------------------------------
Many of you fellow mates have suggested the use of htmlspecialchars but in that case, if I were to allow user to refer to other pages using hyperlinks, how do I do that?
推荐答案
htmlspecialchars 是一种防止xss
strip_tags 也会去掉 PHP 标签
strip_tags also strips out PHP tags
还要确保使用 mysqli_real_escape_string 或类似的防止SQL注入
also make sure to use mysqli_real_escape_string or the like to prevent SQL injection
更新为了响应您的更新,最简单的方法是使用众多 markdown 之一语法ala 大胆的火球.由于markdown 语法不是HTML/PHP 标签,它应该可以毫无问题地通过PHP 函数,但我自己从未实现过,所以YMMV.
UPDATE in response to your update, the simplest way to do that would be to use one of the many markdown syntaxes ala Daring Fireball. Since the markdown syntax are not HTML/PHP tags, it should pass through the PHP functions without problem, but I have never implemented this myself, so YMMV.
这篇关于防止将 HTML 数据发布到表单文本框中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
