本文介绍了将htmlentities应用于剥离的标签的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
研究链接:
如何选择性地应用htmlentities? 和 使用PHP函数剥离标签,除了列入白名单的标签和属性列表
它们很接近,但没有达到预期.
They are close but not as expected.
我尝试了什么?
<?php define('CHARSET', 'UTF-8'); define('REPLACE_FLAGS', ENT_HTML5); function htmlcleaned($string) { $string = htmlentities($string); return str_replace( array("<i>", "<b>", "</i>", "</b>", "<p>", "</p>"), array("<i>", "<b>", "</i>", "</b>", "<p>", "</p>"), $string); } echo htmlcleaned("<p>How are you?</p><p><b>This is bold</b></p><p><i>This is italic</i></p><p><u>This is underline</u></p><p><br></p><ul><li>This is list item 1</li><li>This is list item 2</li></ul><p><br></p><ol><li>This is ordered list item 1</li><li>This is ordered list item 2</li></ol><p><a target='_blank' style='color: #1c5c76;' href='www.google'>www.google</a></p><p>This is plain text again.<br></p><script>alert('attempt csrf');</script><p><p>This is P tag example</p></p>"); ?>我想实现什么?
如果输入是:
<b><script>alert("something");</script></b>然后输出将是:
<b><script&rt;("something");</script$rt;</b>没有特定的黑名单,但有特定的白名单.
There is no specific blacklist but there is a specific white list.
推荐答案此功能可能对您有帮助,但尚未经过严格测试.它将对除您指定的标签之外的所有标签执行htmlentity
This function might help you, it is not highly tested. It will do htmlentities on all the tags except the tags you specify
function html_entity_decode_matches($matches){ return html_entity_decode($matches[0]); } function htmlentities_exclude($string, $exclude_array){ $string = htmlentities($string); //htmlentities all $ent_sl = ">"; //> if (is_array($exclude_array) AND !empty($exclude_array)){ foreach($exclude_array as $exc){ $exc = str_replace(array("<", ">"), "", $exc); $ent = str_replace("/", "\/", htmlentities("<{$exc}")); $ent_e = str_replace("/", "\/", htmlentities("</{$exc}>")); //do decode on <tag...> $string = preg_replace_callback("/{$ent}(.*?){$ent_sl}/", "html_entity_decode_matches", $string); //do decode on <\tag> $string = preg_replace_callback("/{$ent_e}/", "html_entity_decode_matches", $string); } } return $string; }echo htmlentities_exclude('<b><script>alert("something");</script></b>', array("<b>")); Output: <b><script>alert("something");</script></b>
更多推荐
将htmlentities应用于剥离的标签
发布评论