1. /**
    2. * 把html标签转化成非html格式
    3. * 通常用于从表单中post上来的需要消除html
    4. *
    5. * @param string or array $data
    6. * @return string or array
    7. */
    8. function html($data)
    9. {
    10. $magic_quotes=get_magic_quotes_gpc();
    11. if(is_array($data))
    12. {
    13. foreach($data as $k=>$v)
    14. $data[$k]=html($v);
    15. }
    16. else
    17. {
    18. $data=trim($data);
    19. $data=strip_tags($data); //除去字符串中的HTML和PHP标签
    20. //转义_ %
    21. //$data = str_replace("_", "\_", $data);
    22. //$data = str_replace("%", "\%", $data);
    23. $data=htmlspecialchars($data,ENT_QUOTES); //转换特殊HTML字符编码为字符
    24. if(!$magic_quotes) $data=addslashes($data);
    25. $data=discuz_checkhtml($data);
    26. }
    27. return $data;
    28. }
    30. function discuz_checkhtml($html) {
    31. preg_match_all("/\<([^\<]+)\>/is", $html, $ms);
    33. $searchs[] = '<';
    34. $replaces[] = '&lt;';
    35. $searchs[] = '>';
    36. $replaces[] = '&gt;';
    38. if($ms[1]) {
    39. $allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|object|param';
    40. $ms[1] = array_unique($ms[1]);
    41. foreach ($ms[1] as $value) {
    42. $searchs[] = "&lt;".$value."&gt;";
    44. $value = str_replace('&', '_uch_tmp_str_', $value);
    45. $value = dhtmlspecialchars($value);
    46. $value = str_replace('_uch_tmp_str_', '&', $value);
    48. $value = str_replace(array('\\','/*'), array('.','/.'), $value);
    49. $skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate',
    50. 'onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange',
    51. 'onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick',
    52. 'ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate',
    53. 'onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete',
    54. 'onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel',
    55. 'onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart',
    56. 'onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop',
    57. 'onsubmit','onunload','javascript','script','eval','behaviour','expression','style','class');
    58. $skipstr = implode('|', $skipkeys);
    59. $value = preg_replace(array("/($skipstr)/i"), '.', $value);
    60. if(!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) {
    61. $value = '';
    62. }
    63. $replaces[] = empty($value)?'':"<".str_replace('&quot;', '"', $value).">";
    64. }
    65. }
    66. $html = str_replace($searchs, $replaces, $html);
    68. return $html;
    69. }
    71. /**
    72. * 把hmlt标签转化成实体格式
    73. * 参数可以为数组或者字符串
    74. * @param mix $string
    75. * @return mix
    76. */
    77. function dhtmlspecialchars($string) {
    78. if(is_array($string)) {
    79. foreach($string as $key => $val) {
    80. $string[$key] = dhtmlspecialchars($val);
    81. }
    82. } else {
    83. $string = preg_replace('/&amp;((#(\d{3,5}|x[a-fA-F0-9]{4})|[a-zA-Z][a-z0-9]{2,5});)/', '&\\1',
    84. str_replace(array('&', '"', '<', '>'), array('&amp;', '&quot;', '&lt;', '&gt;'), $string));
    85. }
    86. return $string;
    87. }