Kurinchi Blogger Scribbles ... » html_safe library http://kurinchilamp.kurinchilion.com On Open Source Technologies Mon, 02 Jan 2012 06:14:45 +0000 en hourly 1 http://wordpress.org/?v=3.3 PHP XSS: htmlspecialchars vs. htmlentities http://kurinchilamp.kurinchilion.com/2009/05/php-xss-htmlspecialchars-vs-htmlentities.html http://kurinchilamp.kurinchilion.com/2009/05/php-xss-htmlspecialchars-vs-htmlentities.html#comments Sun, 17 May 2009 16:13:55 +0000 kurinchilamp http://kurinchilamp.kurinchilion.com/?p=333 Cross site scripting XSS is a term used to refer attacks or loop holes present in the scripting used by websites favoring hackers to exploit this path towards identity theft or phishing.

In PHP, two functions are mainly used to circumvent XSS attacks.
i) htmlspecialchars
ii) htmlentities

i) htmlspecialchars($string, [$quote_option]) takes care of &, “, ‘, <, > characters by converting them into equivalent character codes. If quote option is set to ENT_QUOTES it converts ‘ – single quotes to ' and if it is set to ENT_NOQUOTES it does not convert ” – double quotes to "

ii) htmlentities() is used to escape all html characters from the text and not just the five characters mentioned above.

Note: If you do not want any html characters in the text, use strip_tags($text) instead.

Also check PEAR’s HTML_Safe library

In wikipedia, you can learn more about XSS and its classification with examples.

]]> http://kurinchilamp.kurinchilion.com/2009/05/php-xss-htmlspecialchars-vs-htmlentities.html/feed 1