[OWASP-Security101] Is the PHP htmlentities() bulletproof?

Jim Manico jim.manico at owasp.org
Thu Jan 31 05:18:27 UTC 2013


Patrick,

Your homework is: please read https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet in great depth. Read it three times. Then report back to us with a mini report on what you think.

Cool?

Aloha,
Jim


> Looks like it then comes down to encoding:
> http://stackoverflow.com/questions/1891392/is-htmlentities-bullet-proof
> 
> Almost a verbatim question, heh.
> Regards,
> M
> 
> On Wed, Jan 30, 2013 at 12:05 PM, Patrick Laverty <patrick_laverty at brown.edu
>> wrote:
> 
>> If I want to prevent XSS in a PHP site, can I simply use htmlentities() to
>> prevent XSS? Is that function bulletproof? Let's say I have code like this:
>>
>>
>> $page = $_GET['title'];
>> $clean_page = htmlentities($page);
>> echo $clean_page;
>>
>> Bulletproof or can someone still get XSS to my echo?
>>
>> Thanks.
>> _______________________________________________
>> Security101 mailing list
>> Security101 at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/security101
>> List Run By OWASP
>> List Admin: Michael.Coates at owasp.org
>>
> 
> 
> 



More information about the Security101 mailing list