过滤或移除特殊的Html标签, 例如: script, iframe , < for <, > for >, " for
过滤JavaScript 事件的标签。例如 "onclick=", "onfocus" 等等。
Yii中的XSS防范
<h2>Profile of <?php echo CHtml::encode($user->name) ?></h2>
此方法的源码:
/**
* Encodes special characters into HTML entities.
* The [[\yii\base\Application::charset|application charset]] will be used for encoding.
* @param string $content the content to be encoded
* @param boolean $doubleEncode whether to encode HTML entities in `$content`. If false,
* HTML entities in `$content` will not be further encoded.
* @return string the encoded content
* @see decode()
* @see http://www.php.net/manual/en/f ... s.php
*/
public static function encode($content, $doubleEncode = true)
{
return htmlspecialchars($content, ENT_QUOTES | ENT_SUBSTITUTE, Yii::$app->charset, $doubleEncode);
}
1 个回复
zkbhj - 凯冰科技站长
赞同来自:
注意: 攻击代码不一定在《script》《/script》中
Yii中的XSS防范
此方法的源码: