I know this has been said before, and most likely a duplicate, but I'm having trouble consolidating all the information I'm finding.
I have input boxes that store information. I'd like to allow the user to type in anything they want, and display it. However, if it happens to be something like <?php die(); ?>
<?php die(); ?>
, I obviously don't want it to execute.
I know there are things like htmlspecialchars()
, however, if a user types something like <b>
it will display <b>
instead.
Is there a way around this?
<?php
$string = '<?php echo "aaa;"?><b>sss</b>';
print "before: ". htmlspecialchars($string). "<br>";
print "after: ". cleanInput($string);
function cleanInput($input) {
$output = strip_tags($input, '<p><a><b><div>');
return htmlspecialchars($output);
}
where <p><a><b><div>
are the allowable tags. this is good so, you can only set which tags you want to allow. This will also strip <script>
and other tags
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.