:', $str); // (2) Avoid injection of JavaScript events like onload=, but still allow HTML tags that might start with alert(1)'); #echo anti_xss(' on august ONLINE'); #echo anti_xss(''); #echo 'Click me'; #echo anti_xss('foo xxx', array('a')); #echo anti_xss('foo xxx', array('*')); #echo anti_xss("foobar 
JavaScript: is cool
"); #echo anti_xss("foobar 
JavaScript  : is cool
"); #echo anti_xss("foobar 
VbScript: is cool
"); #echo anti_xss(''); # Currently we don't support these XSS vectors. But I am unsure if they work at all, in modern browsers #echo anti_xss('
'); #echo anti_xss('bla'); # Currently we are vulnerable to this vectors # (does not work with Chrome) #echo anti_xss(''); #echo anti_xss(''); // only IE # TODO: find more vectors from cheat sheets # https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet /* if (isset($_POST['blabla'])) { echo anti_xss($_POST['blabla']); #echo $_POST['blabla']; } else { echo '
'; #echo ''; echo ''; echo ''; echo '
'; } */