XSS attack in title-tag

Question

I have a form where users can fill in a news article. This contains a title and body. For each page to have a unique title, I'm using the user input (title) in the <title>-tags:

<title>$userinput</title>

I'm wondering - is it possible for the user to perform an XSS-attack this way? Should I escape this user input using htmlspecialchars?

The same also applies to <meta>-tags. I'm using user input for the description:

<meta name="description" content="$userinput" />

Can a user perform XSS-attacks in <title> and <meta>-tags?

Answer 1

Should I escape this user input using htmlspecialchars?

Yes. Location doesn't matter. All user input should be escaped.

References:

• What are the best practices for avoiding xss attacks in a PHP site
• What's the best method for sanitizing user input with PHP?
• https://stackoverflow.com/questions/tagged/php+xss