Php 输入过滤器/val输出转义zf2是否正确?
我是否正确理解,我需要像这样逃避:Php 输入过滤器/val输出转义zf2是否正确?,php,zend-framework2,xss,Php,Zend Framework2,Xss,我是否正确理解,我需要像这样逃避: <div id="search-box"> <?php $escaper = new Zend\Escaper\Escaper('utf-8'); ?> <input type="text" placeholder="<?php echo $escaper->escapeHtml($this->languageText('TEXT_SEARCH_OUR_SITE',"Search
<div id="search-box">
<?php $escaper = new Zend\Escaper\Escaper('utf-8'); ?>
<input type="text" placeholder="<?php echo $escaper->escapeHtml($this->languageText('TEXT_SEARCH_OUR_SITE',"Search Our Site"));
?>" name="query" id="query" />
<div class="search-box-bk"></div>
</div>
如何正确地转义取决于上下文。在您的示例中,变量以HTML属性输出,因此您应该使用
escapeHtmlAttr
:
<input type="text" placeholder="<?php echo $escaper->escapeHtmlAttr($this->languageText('TEXT_SEARCH_OUR_SITE',"Search Our Site"));
?>" name="query" id="query" />
好的,谢谢你的回答。这在我的问题上似乎不起作用。我以前试过这个,怎么不起作用?你得到了什么输出?
<input type="text" placeholder="<?php echo $escaper->escapeHtmlAttr($this->languageText('TEXT_SEARCH_OUR_SITE',"Search Our Site"));
?>" name="query" id="query" />