需要转义或清理<textarea>中显示的输出?
您是否必须转义或调整textarea中的输出?
看来,如果我使用htmlproperties()对其进行正确处理,就会出现实际的&.字符替换。
Yes, you need to sanitize. Use htmlspecialchars($str, ENT_QUOTES) instead.
If that output was initially provided by the user or any untrusted source (i.e. not directly from your code) then it needs to be sanitized to prevent against XSS attacks.
You need to consider whatever the output is editable by the user or not. If it not and it is a trusted output (maybe coming from pre defined texts that YOU wrote) you obviously don't. Otherwise yes. And the HTML chars replacement is quite normal but you don't have to worry because when the page is read and outputted to the user browser all the previous characters will still be there.
Notice that the > and < characters could be used, if not sanitize, to inject other HTML code and particular the <script> tag that can run Javascript.
Always escape all occurances of < and > (with < and >) within the textarea's content. Otherwise one could provide the following content (example) to "escape" the textarea and inject HTML code:
</textarea><script src="http://malicious.code.is/us.js"></script>
Otherwise this could result in the following code:
<textarea id="text"></textarea><script src="http://malicious.code.is/us.js"></script></textarea>
The second </textarea> at the end would be ignored and the script tag before would be executed.
Well, you have to:
<?php
$content = "</textarea><script>alert('hi!')</script>";
?>
<textarea>
<?php echo $content; ?>
</textarea>
Just using htmlspecialchars() is NOT enough. It still leaves you vulnerable to certain multibyte character attack vectors (even when using htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8')
Perhaps look at a library like HTMLPurifier to give you a more complete solution.
Here is a pretty good summary of XSS protection in PHP.