Does urlencode() protect against XSS

Question

$address and $cityState is user provided, stored in a DB, and available for others to view as shown below. Is there risk of XSS? Should htmlspecialchars() also be used on it?

<img src="http://maps.google.com/maps/api/staticmap?markers=color:blue|<?php echo(urlencode($address.' '.$cityState));?>&amp;zoom=14&amp;size=400x400&amp;sensor=false" alt="Map" />

Answer 1

Yes, htmlspecialchars should also be used - you're first encoding the URL to be URL-safe, and then you're building it into an HTML-attribute, which 'requires' the HTML-style escaping.

After using both encodings it's no longer possible to inject arbitrary code on your end of the scale, so if any risks remain they're on Google's end. As such you can then consider this code safe.