Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is htmlentities() bullet proof?

Tags:

security

php

xss

I was asking myself about the security of using the php function htmlentities() against XSS attacks, and maybe of related functions such as htmlspecialchars.

thanks a lot :)

like image 778
fat Avatar asked Dec 11 '09 22:12

fat


People also ask

Does Htmlentities prevent XSS?

htmlentities vs htmlspecialcharsBoth will prevent XSS attacks.

What's the difference between Htmlentities () and htmlspecialchars ()?

Difference between htmlentities() and htmlspecialchars() function: The only difference between these function is that htmlspecialchars() function convert the special characters to HTML entities whereas htmlentities() function convert all applicable characters to HTML entities.

Does Htmlspecialchars prevent XSS?

Using htmlspecialchars() function – The htmlspecialchars() function converts special characters to HTML entities. For a majority of web-apps, we can use this method and this is one of the most popular methods to prevent XSS. This process is also known as HTML Escaping.


2 Answers

You will need to explicitly specify proper encoding (e.g: utf-8), Chris had a post on how to inject code even calling htmlentities without appropriate encoding.

http://shiflett.org/blog/2005/dec/google-xss-example

like image 157
Jay Zeng Avatar answered Oct 18 '22 03:10

Jay Zeng


It is not bullet-proof, it never saves you 100%. You must remember that when it comes to security, the developer is responsible for it. Languages do provide good deal of security functions and more so it is up to developer how they secure their site whether they use whitelist approach or blacklist approach. If htmlentities was all, frameworks like codeigniter, kohana and more would not have come up with their own great security functions.

The most important thing is to sanitalize and filter any input coming from the user.

like image 35
Sarfraz Avatar answered Oct 18 '22 03:10

Sarfraz