I was asking myself about the security of using the php function htmlentities() against XSS attacks, and maybe of related functions such as htmlspecialchars.
thanks a lot :)
htmlentities vs htmlspecialcharsBoth will prevent XSS attacks.
Difference between htmlentities() and htmlspecialchars() function: The only difference between these function is that htmlspecialchars() function convert the special characters to HTML entities whereas htmlentities() function convert all applicable characters to HTML entities.
Using htmlspecialchars() function – The htmlspecialchars() function converts special characters to HTML entities. For a majority of web-apps, we can use this method and this is one of the most popular methods to prevent XSS. This process is also known as HTML Escaping.
You will need to explicitly specify proper encoding (e.g: utf-8), Chris had a post on how to inject code even calling htmlentities without appropriate encoding.
http://shiflett.org/blog/2005/dec/google-xss-example
It is not bullet-proof, it never saves you 100%. You must remember that when it comes to security, the developer is responsible for it. Languages do provide good deal of security functions and more so it is up to developer how they secure their site whether they use whitelist approach or blacklist approach. If htmlentities was all, frameworks like codeigniter, kohana and more would not have come up with their own great security functions.
The most important thing is to sanitalize and filter any input coming from the user.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With