common.php 中
public static function removeXSS($val)
{
// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
// this prevents some character re-spacing such as <javascript>
// note that you have to handle splits with
,
, and later since they *are* allowed in some inputs
$val = preg_replace('/([x00-x08]|[x0b-x0c]|[x0e-x19])/', '', $val);
注释有误:// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
CR 为0D,LF为0A,TAB为09
程序无误