Afin d'éviter les problèmes d'affichage et les injections il est recommandé d'encoder ou supprimer les caractères suivants pour les documents HTML et XML.
Expression | Résultat |
---|---|
$string | Injection JS <script>document.location='http://kode.ch'</script> |
htmlspecialchars($string) | Injection JS <script>document.location='http://kode.ch'</script> |
htmlspecialchars($string,ENT_QUOTES) | Injection JS <script>document.location='http://kode.ch'</script> |
htmlentities($string) | Injection JS <script>document.location='http://kode.ch'</script> |
strip_tags($string) | Injection JS document.location='http://kode.ch' |
strip_tags($string,'<a>') | Injection JS document.location='http://kode.ch' |
filter_var($string, FILTER_SANITIZE_STRING) | Injection JS document.location='http://kode.ch' |
filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) | Injection JS <script>document.location='http://kode.ch'</script> |
filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS) | Injection JS <script>document.location='http://kode.ch'</script> |
addslashes($string) | Injection JS <script>document.location=\'http://kode.ch\'</script> |