The difference between php using htmlspecialchars() and strip_tags functions to filter HTML tags

Original address: http://www.manongjc.com/article/1103.html

First, let’s take a look at the usage examples of htmlspecialchars function and strip_tags function:

<?<span style="color: #000000;">php  
</span><span style="color: #800080;">$str</span>="<a href='http://www.manongjc.com'>码农教程'\"</a>"<span style="color: #000000;">;  
</span><span style="color: #0000ff;">echo</span> <span style="color: #008080;">htmlspecialchars</span>(<span style="color: #800080;">$str</span><span style="color: #000000;">);  
</span><span style="color: #0000ff;">echo</span> "<br/><br/>"<span style="color: #000000;">;  
</span><span style="color: #0000ff;">echo</span> <span style="color: #008080;">strip_tags</span>(<span style="color: #800080;">$str</span><span style="color: #000000;">);  
</span>?> 

The browser outputs the following results:

<a href='http://www.manongjc.com'>码农教程'<span style="color: #000000;">"</a>  
  
码农教程</span>'"  

View the page source code, the results are as follows:

<span style="color: #0000ff;"><</span><span style="color: #800000;">a </span><span style="color: #ff0000;">href</span><span style="color: #0000ff;">='http://www.manongjc.com'</span><span style="color: #0000ff;">></span>码农教程'"<span style="color: #0000ff;"></</span><span style="color: #800000;">a</span><span style="color: #0000ff;">><</span><span style="color: #800000;">br</span><span style="color: #0000ff;">/><</span><span style="color: #800000;">br</span><span style="color: #0000ff;">/></span>码农教程'" 

From the results, we can see that the difference between htmlspecialchars() and strip_tags is as follows:

Difference 1:

strip_tags function is used to remove HTML tags, while htmlspecialchars does not remove html tags, but only converts tags into HTML instances, so the biggest difference between the two is that one is to delete HTML tags, and the other is to convert html tags into other character.

Difference 2:

If the tags in the string that need to be removed from the HTML tags are originally wrong, for example, the greater than symbol is missing, an error will be returned when using the strip_tags function, while there will be no errors in htmlspecialchars, and it will still be converted into an HTML entity.

Difference three:

When preventing XSS attacks, it is generally recommended to use the htmlspecialchars function, because although strip_tags can delete HTML tags, it will not delete " or '. Therefore, even if you use strip_tags, you still need to use the htmlspecialchars function to filter out " or ' '

In form submission or user message board, if you want the original data output to be sent to the browser, then please use the htmlspecialchars function instead of the strip_tags function.

Please refer to reading about htmlspecialchars() and strip_tags functions:

http://www.manongjc.com/article/1213.html

http://www.manongjc.com/article/1099.html

http://www.manongjc.com/article/795.html