Yii::$app->response->headers->add('X-XSS-Protection','0');//表示关闭YII的跨站脚本过滤
//http://www.frontend.com/test/post?name=<script>alert("hello world!")</script> 反射型注入攻击
echo Yii::$app->request->get("name");
//页面会弹出一个alert
在比较特殊的情况下YII的防止跨站攻击也会失效
// http://www.frontend.com/test/post?key=%26quot;;alert(3);
return $this->render("demo");
demo的内容如下,也会弹出alert()
<img src='x.jpg' onerror='var a="123<?=$_GET["key"];?>";'/>
YII针对XSS输入
//http:///www.frontend.com/test/post?script=<script>alert(3)</script> $script = Yii::$app->request->get("script"); //echo YiihelpersHtml::encode($script);//直接转义 echo YiihelpersHtmlPurifier::process($script);//过滤