如何使用 php 测试 htmlpurifier?
How to test htmlpurifier using php?
首先我下载htmlpurifier-4.8.0。然后上传到我的主机,这是没有htmlpurifier的代码:
<?PHP
if(isset($_POST["submit"]))
{
include("connect.php");
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
echo $dirty_html;
}
?>
<form method="post" action="" ENCTYPE = "multipart/form-data">
<input name="xx" type="text">
<input type="submit" name="submit" value="OK">
</form>
在输入name="xx"中我填写了数据<script>alert("test");</script>777,得到了回显777。
这里是 htmlpurifier 用法的代码:
<?PHP
if(isset($_POST["submit"]))
{
include("connect.php");
require_once 'htmlpurifier-4.8.0/library/HTMLPurifier.auto.php';
$purifier = new HTMLPurifier();
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
$clean_html = $purifier->purify($dirty_html);
echo $clean_html;
}
?>
<form method="post" action="" ENCTYPE = "multipart/form-data">
<input name="xx" type="text">
<input type="submit" name="submit" value="OK">
</form>
我用输入重复相同的测试。有人可以解释一下区别吗,为什么 without htmlpurifier 和 with htmlpurifier 我得到相同的结果?
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
// $dirty_html has 777 value now
$clean_html = $purifier->purify($dirty_html);
// $clean_html has 777 value because there is nothing to
purify in 777 which is a valid value
mysqli_real_escape_string 已经将输入转换为 777。
首先我下载htmlpurifier-4.8.0。然后上传到我的主机,这是没有htmlpurifier的代码:
<?PHP
if(isset($_POST["submit"]))
{
include("connect.php");
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
echo $dirty_html;
}
?>
<form method="post" action="" ENCTYPE = "multipart/form-data">
<input name="xx" type="text">
<input type="submit" name="submit" value="OK">
</form>
在输入name="xx"中我填写了数据<script>alert("test");</script>777,得到了回显777。
这里是 htmlpurifier 用法的代码:
<?PHP
if(isset($_POST["submit"]))
{
include("connect.php");
require_once 'htmlpurifier-4.8.0/library/HTMLPurifier.auto.php';
$purifier = new HTMLPurifier();
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
$clean_html = $purifier->purify($dirty_html);
echo $clean_html;
}
?>
<form method="post" action="" ENCTYPE = "multipart/form-data">
<input name="xx" type="text">
<input type="submit" name="submit" value="OK">
</form>
我用输入重复相同的测试。有人可以解释一下区别吗,为什么 without htmlpurifier 和 with htmlpurifier 我得到相同的结果?
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
// $dirty_html has 777 value now
$clean_html = $purifier->purify($dirty_html);
// $clean_html has 777 value because there is nothing to
purify in 777 which is a valid value
mysqli_real_escape_string 已经将输入转换为 777。