[OWASP-Security101] Is the PHP htmlentities() bulletproof?

Max Morresi maxmorresi at gmail.com
Wed Jan 30 17:11:01 UTC 2013


Looks like it then comes down to encoding:
http://stackoverflow.com/questions/1891392/is-htmlentities-bullet-proof

Almost a verbatim question, heh.
Regards,
M

On Wed, Jan 30, 2013 at 12:05 PM, Patrick Laverty <patrick_laverty at brown.edu
> wrote:

> If I want to prevent XSS in a PHP site, can I simply use htmlentities() to
> prevent XSS? Is that function bulletproof? Let's say I have code like this:
>
>
> $page = $_GET['title'];
> $clean_page = htmlentities($page);
> echo $clean_page;
>
> Bulletproof or can someone still get XSS to my echo?
>
> Thanks.
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org
>



-- 
Maximilian Morresi
610.291.2801


More information about the Security101 mailing list