1. Background image path problem
Use the editor to upload files, and the path stored in the database is often like this:
20180820\6cbb383c55a6078fdf4f2be34fcbf61b.png
There is no problem using these paths directly in the img of h5. But when used as a background image, the backslash \ will cause the image to not be displayed.
style="background-image:url('/uploads/img/20180820\111.png'});"
At this time, you need to replace the backslash'\' with'/'
2. Input filtering problem
- We have a user input character: $str = "<span class="ddf">Sampling inspection passed</span><script>alert('666');</script>";
- For the text content submitted by the user, we insert the database through SQL injection filtering.
SQL injection filtering is generally usedhtmlspecialchars, Convert the html tags and symbols in the string into entities before inserting the data into the database. After the conversion, it is as follows:
<span class="ddf">抽检通过</span><script>alert('666');</script>
-
Then save the string to the database. When the string is read to the html page, the html tags and symbols will be output as they are.
-
When the string is submitted from the rich text box, it means that the style in the html tag needs to be executed. At this time, when it is output to the page as it is, the style of the text cannot be displayed correctly. We can usehtmlspecialchars_decodeRestore the html entity symbol in the string back to the html tag.
-
But in this case, the js tag is also restored. At this time, when the string is output to html, the js code will be executed, causing an xss attack. At this time, we need to process the string again and convert the script tags in the string into physical characters to avoid possible xss attacks. When the front end only needs to filter xss, the js code in the string can be deleted directly. Available in yii2Use \ yii \ helpers \ HtmlPurifier :: process ($ str), Filter out the js code.