Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
376 views
in Technique[技术] by (71.8m points)

javascript - Removing <script> tag - PHP

How to change all the occurrence of the <script> <Script> <scRipT> <sCrIpT> and so .. to &lt;script&gt; &lt;Script&gt; with PHP
I also want to remove

The input will be taken from a WYSIWYG Editor, so i can not use the strip_tags function.

Edit 2
Is there any other way a user can execute a javascript with some kind of strange characters to
I found this on internet

<scr<!--*-->ipt>
alert('hi')
</script>

But it did not worked though, is there any such possibilities ?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Simply removing <script> tags from untrusted input is not enough to guard against XSS attacks. For example, <a href="#" onmouseover="alert('pwned!');"> – I just put script in your page—without using a <script> tag—and stole your cookies. Oops.

This is a case where you really need to use a well-tested library that actually parses the HTML and removes the stuff you don't want.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...