I strongly disagree it's "academically better".

我强烈不同意它“在学术上更好”。

• It breaks user input (imagine how useless StackOverflow would be for this discussion if they "cleaned" posts from all tags).

• Text inserted in HTML with only tags stripped will be invalid. HTML requires &to be escaped as well.

• It's not even safe in HTML! strip_tags()is not enough to protect values in attributes, e.g., <input value="$foo">might be exploited with $foo= " onfocus="evil()(no <,>needed!)

• 它破坏了用户输入（想象一下，如果 StackOverflow 从所有标签中“清除”了帖子，那么这次讨论将是多么无用）。

• 插入到 HTML 中且仅去除标签的文本将无效。HTML 也需要&转义。

• 在 HTML 中它甚至都不安全！strip_tags()不足以保护属性中的值，例如，<input value="$foo">可能会被$foo= " onfocus="evil()（不<，>需要！）

So the correct solution is to escape data according to requirements of language you're generating. When you have plain text and you're generating HTML, you should convert text to HTML with htmlspecialchars()or such. When you're generating e-mail, you should convert text to quoted-printable format, and so on.

因此，正确的解决方案是根据您生成的语言的要求来转义数据。当你有纯文本并且你正在生成 HTML 时，你应该将文本转换为 HTML htmlspecialchars()。当您生成电子邮件时，您应该将文本转换为带引号的可打印格式，等等。

strip_tagsitself is not going to be sufficient as it removes perfectly valid, non-HTML content. For instance:

strip_tags它本身是不够的，因为它删除了完全有效的非 HTML 内容。例如：

<?php
 echo strip_tags("This could be a happy clown *<:) or a puckered face.\n");
 ....
 echo strip_tags("Hey guys <--- look at this!\n");

Will output:

将输出：

This could be a happy clown *

And:

和：

Hey guys

Everything after the initial <gets removed. Very annoying for end users! Disallowing reserved HTML characters would be a bad move. And these characters will need to be escaped with htmlentitiesor a similar function when used inline with HTML.

初始之后的所有内容都<被删除。对最终用户来说非常烦人！禁止保留的 HTML 字符将是一个糟糕的举动。htmlentities当与 HTML 内联使用时，这些字符将需要使用或类似的函数进行转义。

You need something more advanced that strip_tags- HTML Purifierworks great and will allow users to use HTML reserved characters.

您需要更高级的东西strip_tags- HTML Purifier效果很好，并且允许用户使用 HTML 保留字符。

As others have mentioned, you can use a combination of strip_tagsand htmlspecialcharsto protect yourself against XSS.

正如其他人所说，你可以使用的组合strip_tags，并htmlspecialchars保护自己不受XSS。

One bad thing about strip_tagsis that it might remove harmless content that the user will not expect. I see techies write stuff like: <edit> foo </edit>, where they fully expect those tags to be seen as is. Also, I've seen "normal" people even do things like <g>for "grin." Again, they will think it's a bug if that doesn't show up.

一件坏事strip_tags是它可能会删除用户不期望的无害内容。我看到技术人员写这样的东西：<edit> foo </edit>，他们完全希望这些标签被视为原样。此外，我还看到“正常”的人甚至会做<g>“咧嘴笑”之类的事情。同样，如果没有出现，他们会认为这是一个错误。

So personally, I avoid strip_tagsin preference for my own parser that allows me to explicitly enable certain safe HTML tags, attributes and CSS, explicitly disable unsafe tags and attributes, and convert any other special character to harmless versions. Thus the text is always seen as one would expect.

所以就我个人而言，我避免strip_tags优先使用自己的解析器，因为它允许我显式启用某些安全的 HTML 标记、属性和 CSS，显式禁用不安全的标记和属性，并将任何其他特殊字符转换为无害版本。因此，文本总是被视为人们所期望的。

If I didn't have that parser at my disposal, I would simply use htmlspecialcharsto safely encode the text.

如果我没有那个解析器可供我使用，我只会用它htmlspecialchars来安全地对文本进行编码。

It should, I have never heard of that 0 trick before. But you can always do the strip_tagsand then the htmlspecialcharsjust to be safe. Good practice would be to test this yourself on your application, as you know what type of data you can try and input and test and see if it breaks it. Just search for methods of XSS exploits and use that for your test data. I would check at least weekly for new vulnerabilities and continually test your script to those new exploits that come out.

它应该，我以前从未听说过那个 0 把戏。但是为了安全起见，您总是可以先做strip_tags然后再做htmlspecialchars。好的做法是在您的应用程序上自己测试，因为您知道可以尝试输入和测试什么类型的数据，看看它是否会破坏它。只需搜索 XSS 攻击的方法并将其用于您的测试数据。我会至少每周检查一次是否有新漏洞，并不断测试您的脚本以应对出现的新漏洞。

Need help treating html as plain text within the document? Need to echothe value of an attribute without being vunerable to XSS attacks like <input value="<?php echo '" onkeydown="alert(&quot;XSS&quot;)'; ?>" />?

需要帮助将 html 视为文档中的纯文本吗？需要echo一个属性的值而不容易受到 XSS 攻击<input value="<?php echo '" onkeydown="alert(&quot;XSS&quot;)'; ?>" />吗？

Use htmlentities().

使用htmlentities().

echo htmlentities('<p>"..."</p>');
// result: &lt;p&gt;&quot;...&quot;&lt;/p&gt;

No strip_tags()required, as this function already replaces <and >with the <and >entities.

没有strip_tags()必要，因为该功能已替换<，并>与<和>实体。

What's the difference between htmlentities()and htmlspecialchars()you may ask?

你可能会问htmlentities()和有什么区别htmlspecialchars()？

Well, htmlentities()will encode ANYcharacter that has an HTML entity equivalent,

好吧，htmlentities()将编码具有HTML 实体等效的任何字符，

while htmlspecialchars()ONLYencodes a small set of the most problematic characters.

而htmlspecialchars()ONLY 只对一小组最有问题的字符进行编码。

strip_tags()can help, but it's not bulletproof. Since it doesn't validate the HTML it's stripping, some clever person WILL find an HTML construct (mangled or otherwise) that gets stripped and but still results in something nasty getting through. But for now, it should handle most everything that gets thrown at it. Just don't assume that this will be true forever.

strip_tags()可以提供帮助，但它不是防弹的。由于它不验证它正在剥离的 HTML，一些聪明的人会发现一个 HTML 构造（被破坏或以其他方式）被剥离，但仍然会导致一些令人讨厌的通过。但就目前而言，它应该处理大多数被扔给它的东西。只是不要假设这将永远正确。

As well, if you allow any tags to pass through via the 'allowable tags' parameter, that will let through any of the javascript-specific attributes, such as onclick for those specific tags.

同样，如果您允许任何标签通过 'allowable tags' 参数通过，这将允许通过任何特定于 javascript 的属性，例如这些特定标签的 onclick。