我有一个简单的脚本,我用它来POST一个世界,然后用list_of_files.txt中的行显示它。刚注意到我可以POST JavaScript,PHP和Html。我怎么剥掉这个?
$files=file('list_of_files.txt');
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
foreach($files as $list)
{
$extension = $_POST['extension'];
echo trim($list) . trim($extension);
echo "</div>";
}
}else{
?>
答案 0 :(得分:4)
strip_tags($ str)(http://php.net/manual/de/function.strip-tags.php)将删除所有 HTML标记
示例:
name=<strong>Finn</strong>&last_name=<script>alert('XSS');</script>
PHP:
$normal = $_POST['name']; //<strong>Adam</strong>
$stripped = strip_tags($_POST['name']); //Adam
答案 1 :(得分:3)
您在寻找strip_tags吗?
此函数尝试返回一个字符串,其中包含所有NULL字节,从给定str 中剥离的HTML和PHP标记。它使用与fgetss()函数相同的标签剥离状态机。
如果您想要输出,可以使用htmlspecialchars。
The translations performed are:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
"'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'