htmlspecialchars vs htmlentities when concerned with XSS

by

htmlspecialchars() will NOT protect you against UTF-7 XSS exploits, that still plague Internet Explorer, even in IE 9: http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/

For instance:

<?php
$_GET['password'] = 'asdf&ddddd"fancy˝quotes˝';

echo htmlspecialchars($_GET['password'], ENT_COMPAT | ENT_HTML401, 'UTF-8') . "\n";
// Output: asdf&amp;ddddd&quot;fancyË

echo htmlentities($_GET['password'], ENT_COMPAT | ENT_HTML401, 'UTF-8') . "\n";
// Output: asdf&amp;ddddd&quot;fancy&Euml;quotes

You should always use htmlentities and very rarely use htmlspecialchars when sanitizing user input. ALso, you should always strip tags before. And for really important and secure sites, you should NEVER trust strip_tags(). Use HTMLPurifier for PHP.

More Related Contents:

  1. How to prevent injection when user is supplying an arbitrary URL parameter?
  2. xss attack on a php page
  3. How can I sanitize user input with PHP?
  4. How to prevent XSS with HTML/PHP?
  5. What are the best practices for avoiding xss attacks in a PHP site [closed]
  6. The ultimate clean/secure function
  7. Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
  8. PHP_SELF and XSS
  9. Best way to defend against mysql injection and cross site scripting
  10. How can I properly escape HTML form input default values in PHP?
  11. CodeIgniter – why use xss_clean
  12. How do you set up use HttpOnly cookies in PHP
  13. Prevent XSS with strip_tags()?
  14. XSS filtering function in PHP
  15. Protection against XSS exploits?
  16. Why do I get this error on first load of website?
  17. How to check checboxes in a php table?
  18. How to sum all column values in multi-dimensional array?
  19. What does a \ (backslash) do in PHP (5.3+)?
  20. A numeric string as array key in PHP
  21. Merging two images with PHP
  22. How do I get the HTML code of a web page in PHP?
  23. Error logging, in a smooth way
  24. Get entire URL, including query string and anchor
  25. How to enable mysqlnd for php?
  26. How to reduce the image size without losing quality in PHP [closed]
  27. Print newline in PHP in single quotes
  28. How to install Imagick/imagemagick PHP extension on windows 7
  29. PHP $_POST not working? [duplicate]
  30. Using utf8mb4 with php and mysql

Leave a Comment