假如:
$str = 'hello<script>alert(##################);</script>';
$data = array();
$data['view_hello'] = $str;
return $this->renderPartial('index',$data);---->視圖層獲取:<?= view_hello?>
則在視圖層中會把script當做執行程序執行
處理方式
a、在view視圖層中,用Html類轉義
<?php
use yii\helpers\Html;
?>
<?= Html::encode(view_hello)?>//輸出時會原樣輸出JavaScript代碼
b、在view視圖層中,用HtmlPurifier類徹底過濾
<?php
use yii\helpers\HtmlPurifier;
?>
<?= HtmlPurifier::process(view_hello)?>//輸出時僅輸出hello文本