[OWASP-Security101] Is the PHP htmlentities() bulletproof?

Patrick Laverty patrick_laverty at brown.edu
Wed Jan 30 17:05:05 UTC 2013


If I want to prevent XSS in a PHP site, can I simply use htmlentities() to
prevent XSS? Is that function bulletproof? Let's say I have code like this:


$page = $_GET['title'];
$clean_page = htmlentities($page);
echo $clean_page;

Bulletproof or can someone still get XSS to my echo?

Thanks.


More information about the Security101 mailing list