1. Home
2. php - htmlspecialchars vs htmlentities when concerned with XSS

905 votes

2 answers

php - htmlspecialchars vs htmlentities when concerned with XSS

Get the solution ↓↓↓

Solution:

htmlspecialchars() will NOT protect you against UTF-7 XSS exploits, that still plague Internet Explorer, even in IE 9: http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/

For instance:

<?php
$_GET['password'] = 'asdf&ddddd"fancy˝quotes˝';

echo htmlspecialchars($_GET['password'], ENT_COMPAT | ENT_HTML401, 'UTF-8') . "\n";
// Output: asdf&amp;ddddd&quot;fancyË

echo htmlentities($_GET['password'], ENT_COMPAT | ENT_HTML401, 'UTF-8') . "\n";
// Output: asdf&amp;ddddd&quot;fancy&Euml;quotes
Copy code

You should always use htmlentities and very rarely use htmlspecialchars when sanitizing user input. ALso, you should always strip tags before. And for really important and secure sites, you should NEVER trust strip_tags(). Use HTMLPurifier for PHP.

Undefined asked

2023-09-28

Write your answer

---

548

votes

Answer

Solution:

If PHP's command is used to set the charset

header('Content-Type: text/html; charset=utf-8');
Copy code

then and should both be safe for output of HTML because XSS cannot then be achieved using UTF-7 encodings.

Please note that these functions should not be used for output of values into JavaScript or CSS, because it would be possible to enter characters that enable the JavaScript or CSS to be escaped and put your site at risk. Please see the XSS Prevention Cheat Sheet on how to appropriately handle these situations.

Write your answer

---

537

votes

Answer

Solution:

I'm not sure if you have found the answer you were looking for, but, I am also looking for an HTML cleaner. I have an application I am building and want to be able to take HTML code, possibly even Javascript, or other languages and put them into a MySQL DB without causing issues nor allowing for XSS issues. I've found HTML Purifier and it appears to be the most developed and still maintained tool for cleaning up user submitted information on a PHP system. The page linked is their compairison page which can yield reasoning as to why their's or another tool could be useful. Hope this helps!

Write your answer

---

Share solution ↓

Additional Information:

Date the issue was resolved:

2023-09-28

Link To Source
Link To Answer People are also looking for solutions of the problem: object of class stdclass could not be converted to string

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

---

Similar questions

Find the answer in similar questions on our website.

248 php - Save data to two different tables in CakePHP 3

440 PHP + SQL - Using SQL Server 'Create To' scripts to create tables through PHP

68 php - Delete files/uploads when delete User

36 php - How To Check Work Progress When Building A Wordpress Theme?

327 apache - PHP - how to do GET request when username password is asked in a popup?

575 PHP running out of memory when uploading to s3 bucket - Laravel 5.2

29 php - Using PHPThumb and Thickbox/Colorbox

120 php - Cakephp 2.8.4 ignoring hasMany

444 php - File format or extension invalid PHPExcel

374 php - ask about advance search when user select all something?

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

About the technologies asked in this question

PHP

PHP (from the English Hypertext Preprocessor - hypertext preprocessor) is a scripting programming language for developing web applications. Supported by most hosting providers, it is one of the most popular tools for creating dynamic websites. The PHP scripting language has gained wide popularity due to its processing speed, simplicity, cross-platform, functionality and distribution of source codes under its own license.
https://www.php.net/

JavaScript

JavaScript is a multi-paradigm language that supports event-driven, functional, and mandatory (including object-oriented and prototype-based) programming types. Originally JavaScript was only used on the client side. JavaScript is now still used as a server-side programming language. To summarize, we can say that JavaScript is the language of the Internet.
https://www.javascript.com/

MySQL

DBMS is a database management system. It is designed to change, search, add and delete information in the database. There are many DBMSs designed for similar purposes with different features. One of the most popular is MySQL. It is a software tool designed to work with relational SQL databases. It is easy to learn even for site owners who are not professional programmers or administrators. MySQL DBMS also allows you to export and import data, which is convenient when moving large amounts of information.
https://www.mysql.com/

CSS

CSS (Cascading Style Sheets) is a formal language for describing the appearance of a document written using a markup language. It is mainly used as a means of describing, decorating the appearance of web pages written using HTML and XHTML markup languages, but can also be applied to any XML documents, such as SVG or XUL.
https://www.w3.org/TR/CSS/#css

HTML

HTML (English "hyper text markup language" - hypertext markup language) is a special markup language that is used to create sites on the Internet. Browsers understand html perfectly and can interpret it in an understandable way. In general, any page on the site is html-code, which the browser translates into a user-friendly form. By the way, the code of any page is available to everyone.
https://www.w3.org/html/