您应该净化任何可能会在页面上显示的内容。因为对于XSS攻击，黑客会放入< script> 标记或其他可链接到其他网站的恶意标记。

最后，请务必记住内容的htmlentities（） 。

噢，看看 filter_var 以及。非常好的过滤变量的方式。

I am using HTML Purifier to protect my application from XSS attacks. Currently I am purifying content from WYSIWYG editors because that is the only place where users are allowed to use XHTML markup.

My question is, should I use HTML Purifier also on username and password in a login authentication system (or on input fields of sign up page such as email, name, address etc)? Is there a chance of XSS attack there?

You should Purify anything that will ever possibly be displayed on a page. Because with XSS attacks, hackers put in <script> tags or other malicious tags that can link to other sites.

Passwords and emails should be fine. Passwords should never be shown and emails should have their own validator to make sure that they are in the proper format.

Finally, always remember to put in htmlentities() on content.

Oh .. and look at filter_var aswell. Very nice way of filtering variables.