[OWASP-Security101] Is the PHP htmlentities() bulletproof?
patrick_laverty at brown.edu
Wed Jan 30 17:39:40 UTC 2013
Thanks Max, yeah, when I try all those examples that Shiflett shows on that
StackOverflow page, they all get cleaned up. Doesn't matter which encoding
I pick. Here's what the code looked like:
header('Content-Type: text/html; UTF-7');
$string = "<script>alert('XSS');</script>";
$string = mb_convert_encoding($string, 'UTF-7');
I changed that encoding value to many of those that are available and they
all do escape properly. It seems that the htmlentities function has been
updated since that information was made known.
On Wed, Jan 30, 2013 at 12:11 PM, Max Morresi <maxmorresi at gmail.com> wrote:
> Looks like it then comes down to encoding:
> Almost a verbatim question, heh.
> On Wed, Jan 30, 2013 at 12:05 PM, Patrick Laverty <
> patrick_laverty at brown.edu> wrote:
>> If I want to prevent XSS in a PHP site, can I simply use htmlentities() to
>> prevent XSS? Is that function bulletproof? Let's say I have code like
>> $page = $_GET['title'];
>> $clean_page = htmlentities($page);
>> echo $clean_page;
>> Bulletproof or can someone still get XSS to my echo?
>> Security101 mailing list
>> Security101 at lists.owasp.org
>> List Run By OWASP
>> List Admin: Michael.Coates at owasp.org
> Maximilian Morresi
More information about the Security101