[OWASP-Security101] Is the PHP htmlentities() bulletproof?
jim.manico at owasp.org
Thu Jan 31 05:18:27 UTC 2013
Your homework is: please read https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet in great depth. Read it three times. Then report back to us with a mini report on what you think.
> Looks like it then comes down to encoding:
> Almost a verbatim question, heh.
> On Wed, Jan 30, 2013 at 12:05 PM, Patrick Laverty <patrick_laverty at brown.edu
>> If I want to prevent XSS in a PHP site, can I simply use htmlentities() to
>> prevent XSS? Is that function bulletproof? Let's say I have code like this:
>> $page = $_GET['title'];
>> $clean_page = htmlentities($page);
>> echo $clean_page;
>> Bulletproof or can someone still get XSS to my echo?
>> Security101 mailing list
>> Security101 at lists.owasp.org
>> List Run By OWASP
>> List Admin: Michael.Coates at owasp.org
More information about the Security101