[OWASP-Security101] Is the PHP htmlentities() bulletproof?

Patrick Laverty patrick_laverty at brown.edu
Wed Jan 30 17:39:40 UTC 2013


Thanks Max, yeah, when I try all those examples that Shiflett shows on that
StackOverflow page, they all get cleaned up. Doesn't matter which encoding
I pick. Here's what the code looked like:

<?php
header('Content-Type: text/html; UTF-7');
$string = "<script>alert('XSS');</script>";
$string = mb_convert_encoding($string, 'UTF-7');
echo htmlentities($string);
?>

I changed that encoding value to many of those that are available and they
all do escape properly. It seems that the htmlentities function has been
updated since that information was made known.


On Wed, Jan 30, 2013 at 12:11 PM, Max Morresi <maxmorresi at gmail.com> wrote:

> Looks like it then comes down to encoding:
> http://stackoverflow.com/questions/1891392/is-htmlentities-bullet-proof
>
> Almost a verbatim question, heh.
> Regards,
> M
>
> On Wed, Jan 30, 2013 at 12:05 PM, Patrick Laverty <
> patrick_laverty at brown.edu> wrote:
>
>> If I want to prevent XSS in a PHP site, can I simply use htmlentities() to
>> prevent XSS? Is that function bulletproof? Let's say I have code like
>> this:
>>
>>
>> $page = $_GET['title'];
>> $clean_page = htmlentities($page);
>> echo $clean_page;
>>
>> Bulletproof or can someone still get XSS to my echo?
>>
>> Thanks.
>> _______________________________________________
>> Security101 mailing list
>> Security101 at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/security101
>> List Run By OWASP
>> List Admin: Michael.Coates at owasp.org
>>
>
>
>
> --
> Maximilian Morresi
> 610.291.2801
>


More information about the Security101 mailing list