如何仅使用HTML和PHP来阻止XSS(跨站点脚本)?
我已经看过很多关于这个主题的帖子,但我还没有找到一篇清晰简明地说明如何实际防止XSS的文章.
问题:防止XSS(跨站点脚本)strip_tags在任何已保存的输入字段上使用并htmlspecialchars在任何显示的输出上运行...并使用PHP PDO预处理语句阻止SQL注入?
这是一个例子:
// INPUT: Input a persons favorite color and save to database
// this should prevent SQL injection ( by using prepared statement)
// and help prevent XSS (by using strip_tags)
$sql = 'INSERT INTO TABLE favorite (person_name, color) VALUES (?,?)';
$sth = $conn->prepare($sql);
$sth->execute(array(strip_tags($_POST['person_name']), strip_tags($_POST['color'])));
// OUTPUT: Output a persons favorite color from the database
// this should prevent XSS (by using htmlspecialchars) when displaying
$sql = 'SELECT …