标签: htmlspecialchars, 函数, 并不能
<a href=" <?php echo htmlspecialchars("javascript:alert(1)",ENT_QUOTES); ?> ">a</a> <a href=" <?php echo htmlspecialchars("javascript:location%3D'http%3A%2F%2Fqq.com'",ENT_QUOTES); ?> ">a</a>