假如:
$str = 'hello<script>alert(##################);</script>';
$data = array();
$data['view_hello'] = $str;
return $this->renderPartial('index',$data);---->视图层获取:<?= view_hello?>
则在视图层中会把script当做执行程序执行
处理方式
a、在view视图层中,用Html类转义
<?php
use yii\helpers\Html;
?>
<?= Html::encode(view_hello)?>//输出时会原样输出JavaScript代码
b、在view视图层中,用HtmlPurifier类彻底过滤
<?php
use yii\helpers\HtmlPurifier;
?>
<?= HtmlPurifier::process(view_hello)?>//输出时仅输出hello文本