I would like to ask, if the user enters a code command, how to filter out the effect? For example, if a user submits the sentence <script>alert(0)</script>, it needs to be submitted to the backend and then displayed in the frontend. However, if it is displayed in the frontend, alert will definitely be executed. How to filter it out so that it can be displayed directly? God, please help me~
我想大声告诉你2017-05-16 13:04:39
php’s htmlspecialchars()
front-end
`function htmlspecialchars(str)
{
str = str.replace(/&/g, '&');
str = str.replace(/</g, '<');
str = str.replace(/>/g, '>');
str = str.replace(/"/g, '"');
str = str.replace(/'/g, ''');
return str; } `
滿天的星座2017-05-16 13:04:39
Two places for filtering, one is filtering when user input is stored in the database, and the other is filtering when displaying. The filtering method is htmlspecialchars(). Personally, I prefer filtering when displaying to ensure the originality of user input. Accuracy of data