/**
* 防止基本的XSS攻击 滤掉HTML标签
* 将HTML的特殊字符转换为了HTML实体 htmlentities
* 将#和%转换为他们对应的实体符号
* 加上了$length参数来限制提交的数据的最大长度
*/
function transform_HTML($string, $length = null) {
// Helps prevent XSS attacks
// Remove dead space.
$string = trim($string);
// Prevent potential Unicode codec problems.
$string = utf8_decode($string);
// HTMLize HTML-specific characters.
$string = htmlentities($string, ENT_NOQUOTES);
$string = str_replace("#", "#", $string);
$string = str_replace("%", "%", $string);
$length = intval($length);
if ($length > 0) {
$string = substr($string, 0, $length);
}
return $string;
}
/*
// eg:
$string = " >< > <a>< \n /n \. \\ \ %22%3e %3c%53%43%52%49%5 0%54%3e%44%6f%73%6f%6d%65%74%68%6 9%6e%67%6d%61%6c%69%63%69%6 f%75%73%3c%2f%53%43%52%49%50%54%3e";
echo $string;
echo ‘<br>‘;
echo transform_HTML($string);
*/
/*
输出 $string:
>< > < /n \. \ \ %22%3e %3c%53%43%52%49%5 0%54%3e%44%6f%73%6f%6d%65##%74%68%6 9%6e%67%6d%61%6c%69%63%69%6 f%75%73%3c%2f%53%43%52%49%50%54%3e
输出 transform_HTML($string):
>< > <a>< /n \. \ \ %22%3e %3c%53%43%52%49%5 0%54%3e%44%6f%73%6f%6d%65##%74%68%6 9%6e%67%6d%61%6c%69%63%69%6 f%75%73%3c%2f%53%43%52%49%50%54%3e
*/
原文:http://www.cnblogs.com/yhdsir/p/4648480.html