ThinkPHP的使用(五)富文本编辑器的使用以及防xss攻击

创建时间：2017-04-25 投稿人：浏览次数：781

将下载好的htmlpurifier及ueditor文件夹放入Plugin文件夹下
在模板页中引入以下js文件

<script type="text/javascript" charset="utf-8" src="{$Think.config.PLUGIN_URL}ueditor/ueditor.config.js"></script>
<script type="text/javascript" charset="utf-8" src="{$Think.config.PLUGIN_URL}ueditor/ueditor.all.min.js"> </script>
<script type="text/javascript" charset="utf-8" src="{$Think.config.PLUGIN_URL}ueditor/lang/zh-cn/zh-cn.js"></script>
<script type="text/javascript" src="{$Think.config.BACK_JS_URL}jquery-1.7.2.min.js"></script>
<script type="text/javascript">
    UEDITOR_CONFIG.toolbars=[[
        "fullscreen", "source", "|", "undo", "redo", "|",
           "bold", "italic", "underline", "fontborder", "strikethrough", "superscript", "subscript", "removeformat", "formatmatch", "autotypeset", "blockquote", "pasteplain", "|", "forecolor", "backcolor", "insertorderedlist", "insertunorderedlist", "selectall", "cleardoc", "|",
           "rowspacingtop", "rowspacingbottom", "lineheight", "|",
           "customstyle", "paragraph", "fontfamily", "fontsize", "|",
           "directionalityltr", "directionalityrtl", "indent", "|",
           "justifyleft", "justifycenter", "justifyright", "justifyjustify", "|", "touppercase", "tolowercase", "|",
           "link", "unlink", "anchor", "|", "imagenone", "imageleft", "imageright", "imagecenter", "|",
           "simpleupload", "insertimage", "emotion", "scrawl", "insertvideo", "music", "attachment", "map", "gmap", "insertframe", "insertcode", "webapp", "pagebreak", "template", "background", "|",
           "horizontal", "date", "time", "spechars", "snapscreen", "wordimage",
    ]]
</script>
<!--下面是富文本编辑器展示区域-->
 <table border="1" width="100%" class="table_a" id="detail-tab-tb" style="display: none;">
    <tr>
        <td>
            <textarea name="news_content" id="news_content" style="width:730px;height:320px;"></textarea>
        </td>
    </tr>
    <script>
        var ue = UE.getEditor("news_content");                  
    </script>
</table>

在function.php文件中引入如下代码:

function fanXSS($string)
{
    require_once "./Plugin/htmlpurifier/HTMLPurifier.auto.php";
    // 生成配置对象
    $cfg = HTMLPurifier_Config::createDefault();
    // 以下就是配置：
    $cfg->set("Core.Encoding", "UTF-8");
    // 设置允许使用的HTML标签
    $cfg->set("HTML.Allowed","div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]");
    // 设置允许出现的CSS样式属性
    $cfg->set("CSS.AllowedProperties", "font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align");
    // 设置a标签上是否允许使用target="_blank"
    $cfg->set("HTML.TargetBlank", TRUE);
    // 使用配置生成过滤用的对象
    $obj = new HTMLPurifier($cfg);
    // 过滤字符串
    return $obj->purify($string);    
}

然后在Controller中使用：

//添加新闻
public function add(){
    if(IS_POST){
        $news=new ModelNewsModel();
        $data=$news->create();
        $data["news_content"]=fanXSS($_POST["news_content"]);
        if($news->add($data)){
            $this->success("添加新闻成功",U("showlist"),2);
        }else{
            $this->error("添加新闻失败",U("tianjia"),2);
        }
    }else{
        $this->display();
    }
}

声明：该文观点仅代表作者本人，牛骨文系教育信息发布平台，牛骨文仅提供信息存储空间服务。

上一篇： Linux进程间的通信方式和原理
下一篇：如何修改DB2 客户机 DB2CODEPAGE

热门文章: CTF writeup 2_南邮网络攻防训...; SSM框架——详细整合教程（...; Linux Shell脚本编程－－curl命...; HttpClient使用详解; Java面试题全集（上）; JAVA设计模式之单例模式; java.lang.OutOfMemoryError: PermGen ...; TCP协议中的三次握手和四次...; form表单的两种提交方式，su...; String,StringBuffer与StringBuilder...

最新文章: Java之品优购课程讲义_day20（7）; 剑指 Offer - 8：跳台阶; Netty权威指南_札记02_NIO编程; mysql时间属性之时间戳和datetime之...; 虚拟现实或许可以拯救古埃及的“...; spring cloud服务注册中心eureka---集群...; Java SE 第六章; HTTP请求+数据库; HIDL学习笔记之HIDL C++（第二天）; ubuntu系统下指定tomcat运行时为JDK1.8...