为防止XSS攻击，您只需要检查并正确验证计划使用的所有用户输入数据，并且不允许插入html或javascript代码从那个形式. 或者，您可以使用htmlspecialchars()将HTML字符转换为HTML实体.因此，诸如<>之类的标记标记开始/结束的字符将变成html实体，并且您可以使用strip_tags()仅允许某些标记，因为该函数不会去除onclick或onload之类的有害属性.

To prevent from XSS attacks, you just have to check and validate properly all user inputted data that you plan on using and dont allow html or javascript code to be inserted from that form. Or you can you Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.