PHP:如何对html编码的数据进行html编码?
I'd like to parse a RSS Feed and display the content on my website(php,html).
But I'd like to html-encode the feed to prevent xss attacks. But how do I do this properly?
1.) How can I html-encode an url so that it will work afterwards? If I use htmlspecialchars for an entiere url the url won't work anymore.
2.) The Titel of the RSS Feed is already html-encoded. But I'd like to do it again by myself to be sure there can't be xss content inside it. But how I can I html-encode already encoded html? If I use htmlspecialchars twice the html output will show the escape commands instead of the right symbol.
我想解析RSS Feed并在我的网站上显示内容(php,html)。 p>
但我想对源代码进行html编码以防止xss攻击。 但是我该怎么做呢? p>
1。)我怎样才能对网址进行html编码,以便以后可以使用? 如果我使用htmlspecialchars作为entiere url,则url将不再起作用。 p>
2。)RSS Feed的标题已经是html编码的。 但是我想自己再做一次,以确保里面不能有xss内容。 但我怎么能html编码已经编码的HTML? 如果我使用htmlspecialchars两次,html输出将显示转义命令而不是正确的符号。 p> div>
Just give you a function that can remove xss. (not work at every situations)
function RemoveXSS(&$string, $low = false)
{
if (!is_array($string)) {
$string = trim($string);
$string = strip_tags($string);
$string = htmlspecialchars($string);
if ($low) {
return true;
}
$string = str_replace(['"', "\\", "'", "/", "..", "../", "./", "//"], '', $string);
$no = '/%0[0-8bcef]/';
$string = preg_replace($no, '', $string);
$no = '/%1[0-9a-f]/';
$string = preg_replace($no, '', $string);
$no = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S';
$string = preg_replace($no, '', $string);
return true;
}
$keys = array_keys($string);
foreach ($keys as $key) {
RemoveXSS($string [$key]);
}
}