当我输入时:
<script>alert("XSS")</script>Cleaning Test
我的输出应该是
Cleaning Test
但我得到与输入相同<script>alert("XSS")</script>Cleaning Test
有人可以帮我解决这个问题并尝试了很多但不起作用我需要检查我htmlpurifie的工作是否正常
这是我的代码
<?php
require_once 'htmlpurifier/library/HTMLPurifier.auto.php';
ini_set("display_errors", 1);
error_reporting(E_ALL);
define('DB_SERVER', "localhost");
define('DB_USER', "sanoj");
define('DB_PASSWORD', "123456");
define('DB_DATABASE', "test");
define('DB_DRIVER', "mysql");
$country = filter_input(INPUT_POST, 'title');
$dirty_html = filter_input(INPUT_POST, 'wysiwyg');
$purifier = new HTMLPurifier();
$clean_html = $purifier->purify($dirty_html);
try {
$db = new PDO(DB_DRIVER . ":dbname=" . DB_DATABASE . ";host=" . DB_SERVER, DB_USER, DB_PASSWORD);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $db->prepare("INSERT INTO final(title, wysiwyg) VALUES (:title, :wysiwyg)");
$stmt->bindParam(':title', $country, PDO::PARAM_STR, 100);
$stmt->bindParam(':wysiwyg', $clean_html, PDO::PARAM_STR, 100);
if ($stmt->execute()) {
echo '1 row has been inserted';
}
$db = null;
} catch (PDOException $e) {
trigger_error('Error occured while trying to insert into the DB:' . $e->getMessage(), E_USER_ERROR);
}
?>