大家好，我卡颂。

网站建设哪家好，找成都创新互联！专注于网页设计、网站建设、微信开发、成都小程序开发、集团企业网站建设等服务项目。为回馈新老客户创新互联还提供了维西免费建站欢迎大家使用！

业务中经常遇到需要处理「有风险的DOM」的场景，比如：

• 各种工具的文本粘贴功能
• 需要渲染服务端返回HTML的场景

为了阻止潜在的XSS攻击，有两个选择：

• escape(转义)
• sanitize(消毒)

本文会介绍这两者的区别以及为DOM消毒的API —— Sanitizer。

本文内容来自Safe DOM manipulation with the Sanitizer API[1]

转义与消毒

假设，我们想将这样一段HTML字符串插入DOM：

 
 
 
 
  
  
  
  
const str = ""; 
 
 
 

如果直接将其作为某个元素的innerHTML，img的onerror回调执行JS代码的能力会带来XSS风险。

一种常见解决方案是：转义字符串。

什么是escape

浏览器会将一些保留字符解析为HTML代码，比如：

• <被解析为标签的开头
• >被解析为标签的结尾
• ''被解析为属性值的开头和结尾

为了将这些保留字符显示为文本(不被解析为HTML代码)，可以将其替换为对应的entity(HTML实体)：

• <的实体为<
• >的实体为>
• ''的实体为"

这种将HTML字符替换为entity的方式被称为escape(转义)

什么是sanitize

对于上面的HTML字符串：

 
 
 
 
  
  
  
  
const str = ""; 
 
 
 

除了转义''来规避XSS风险，还有一种更直观的思路：直接过滤掉onerror属性。

这种直接移除HTML字符串中有害的代码（比如

基本 文件 流程 错误 SQL 调试

1. 请求信息 : 2026-03-26 12:14:32 HTTP/1.1 GET : /article/coddogo.html
2. 运行时间 : 2.3629s ( Load:0.0064s Init:1.7215s Exec:0.6255s Template:0.0095s )
3. 吞吐率 : 0.42req/s
4. 内存开销 : 2,231.98 kb
5. 查询信息 : 12 queries 5 writes
6. 文件加载 : 36
7. 缓存信息 : 0 gets 0 writes
8. 配置加载 : 130
9. 会话信息 : SESSION_ID=lolt1kcv9p3jdngo62j819u2t1

1. /www/wwwroot/tsicrk.com/index.php ( 1.09 KB )
2. /www/wwwroot/tsicrk.com/ThinkPHP/ThinkPHP.php ( 4.61 KB )
3. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Think.class.php ( 12.26 KB )
4. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Storage.class.php ( 1.37 KB )
5. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Storage/Driver/File.class.php ( 3.52 KB )
6. /www/wwwroot/tsicrk.com/ThinkPHP/Mode/common.php ( 2.82 KB )
7. /www/wwwroot/tsicrk.com/ThinkPHP/Common/functions.php ( 53.56 KB )
8. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Hook.class.php ( 4.01 KB )
9. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/App.class.php ( 13.49 KB )
10. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Dispatcher.class.php ( 14.79 KB )
11. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Route.class.php ( 13.36 KB )
12. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Controller.class.php ( 11.23 KB )
13. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/View.class.php ( 7.59 KB )
14. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/BuildLiteBehavior.class.php ( 3.68 KB )
15. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/ParseTemplateBehavior.class.php ( 3.88 KB )
16. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/ContentReplaceBehavior.class.php ( 1.91 KB )
17. /www/wwwroot/tsicrk.com/ThinkPHP/Conf/convention.php ( 11.15 KB )
18. /www/wwwroot/tsicrk.com/App/Common/Conf/config.php ( 2.14 KB )
19. /www/wwwroot/tsicrk.com/ThinkPHP/Lang/zh-cn.php ( 2.55 KB )
20. /www/wwwroot/tsicrk.com/ThinkPHP/Conf/debug.php ( 1.49 KB )
21. /www/wwwroot/tsicrk.com/App/Home/Conf/config.php ( 0.31 KB )
22. /www/wwwroot/tsicrk.com/App/Home/Common/function.php ( 3.33 KB )
23. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/ReadHtmlCacheBehavior.class.php ( 5.62 KB )
24. /www/wwwroot/tsicrk.com/App/Home/Controller/ArticleController.class.php ( 6.02 KB )
25. /www/wwwroot/tsicrk.com/App/Home/Controller/CommController.class.php ( 1.60 KB )
26. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Model.class.php ( 60.11 KB )
27. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Db.class.php ( 32.43 KB )
28. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Db/Driver/Pdo.class.php ( 16.74 KB )
29. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Cache.class.php ( 3.83 KB )
30. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Cache/Driver/File.class.php ( 5.87 KB )
31. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Template.class.php ( 28.16 KB )
32. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Template/TagLib/Cx.class.php ( 22.40 KB )
33. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Template/TagLib.class.php ( 9.16 KB )
34. /www/wwwroot/tsicrk.com/App/Runtime/Cache/Home/7540f392f42b28b481b30614275e4e55.php ( 17.71 KB )
35. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/WriteHtmlCacheBehavior.class.php ( 0.97 KB )
36. /www/wwwroot/tsicrk.com/ThinkPHP/Library/Behavior/ShowPageTraceBehavior.class.php ( 5.24 KB )

1. [ app_init ] --START--
2. Run Behavior\BuildLiteBehavior [ RunTime:0.000005s ]
3. [ app_init ] --END-- [ RunTime:0.000027s ]
4. [ app_begin ] --START--
5. Run Behavior\ReadHtmlCacheBehavior [ RunTime:0.000272s ]
6. [ app_begin ] --END-- [ RunTime:0.000290s ]
7. [ view_parse ] --START--
8. [ template_filter ] --START--
9. Run Behavior\ContentReplaceBehavior [ RunTime:0.000074s ]
10. [ template_filter ] --END-- [ RunTime:0.000113s ]
11. Run Behavior\ParseTemplateBehavior [ RunTime:0.006658s ]
12. [ view_parse ] --END-- [ RunTime:0.006683s ]
13. [ view_filter ] --START--
14. Run Behavior\WriteHtmlCacheBehavior [ RunTime:0.000155s ]
15. [ view_filter ] --END-- [ RunTime:0.000170s ]
16. [ app_end ] --START--

1. 1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') LIMIT 1' at line 1 [ SQL语句 ] : SELECT `id`,`pid`,`navname` FROM `cx_nav` WHERE ( id= ) LIMIT 1
2. 1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') LIMIT 1' at line 1 [ SQL语句 ] : SELECT `id`,`navname` FROM `cx_nav` WHERE ( id= ) LIMIT 1
3. 1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1 [ SQL语句 ] : SELECT `id`,`navname` FROM `cx_nav` WHERE ( pid= )
4. [8] Undefined index: pid /www/wwwroot/tsicrk.com/App/Home/Controller/ArticleController.class.php 第 47 行.
5. [8] Undefined index: db_host /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Db.class.php 第 120 行.
6. [8] Undefined index: db_port /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Db.class.php 第 121 行.
7. [8] Undefined index: db_name /www/wwwroot/tsicrk.com/ThinkPHP/Library/Think/Db.class.php 第 122 行.

2.3629s