防止基本的XSS攻击 滤掉HTML标签

/**
*    防止基本的XSS攻击 滤掉HTML标签
*    将HTML的特殊字符转换为了HTML实体    htmlentities
*    将#和%转换为他们对应的实体符号
*    加上了$length参数来限制提交的数据的最大长度
*/
function transform_HTML($string, $length = null) {
　　// Helps prevent XSS attacks

　　// Remove dead space.
　　$string = trim($string);

　　// Prevent potential Unicode codec problems.
　　$string = utf8_decode($string);

　　// HTMLize HTML-specific characters.
　　$string = htmlentities($string, ENT_NOQUOTES);
　　$string = str_replace("#", "#", $string);
　　$string = str_replace("%", "%", $string);
　　$length = intval($length);
　　if ($length > 0) {
　　　　$string = substr($string, 0, $length);
　　}
　　return $string;
}
/* 
// eg:
$string = " &gt;< > <a>&lt; 
 /n . \  %22%3e %3c%53%43%52%49%5 0%54%3e%44%6f%73%6f%6d%65%74%68%6 9%6e%67%6d%61%6c%69%63%69%6 f%75%73%3c%2f%53%43%52%49%50%54%3e";
echo $string;
echo '<br>';
echo transform_HTML($string);

*/

/*

输出 $string：

>< > < /n .   %22%3e %3c%53%43%52%49%5 0%54%3e%44%6f%73%6f%6d%65##%74%68%6 9%6e%67%6d%61%6c%69%63%69%6 f%75%73%3c%2f%53%43%52%49%50%54%3e

输出 transform_HTML($string)：

&gt;< > <a>&lt; /n .   %22%3e %3c%53%43%52%49%5 0%54%3e%44%6f%73%6f%6d%65##%74%68%6 9%6e%67%6d%61%6c%69%63%69%6 f%75%73%3c%2f%53%43%52%49%50%54%3e

*/