ansaurus

Question

preventing htmlentities from destroying utf8 characters ಠ_ಠ

Answer 1

+2 A:

$var=htmlspecialchars($var,ENT_QUOTES,"UTF-8");

Rook 2010-07-14 22:20:31

and that will still filter output the same wait entities would?

Scarface 2010-07-14 22:23:32

Look at the PHP documentation for how htmlspecialchars and htmlentities differ.

The Pixel Developer 2010-07-14 22:27:37

@Scarface No, its a lot better at stopping XSS than htmlentties(). There are cases where you don't need `<>`, for instance if you are in a body tag and you inject an `onload=`, and this will prevent that.

Rook 2010-07-14 22:29:03

thanks rook, appreciate it

Scarface 2010-07-14 23:15:54

Answer 2

+3 A:

Three things

HTML sanitization is an output escaping task, not input filtering. You should not do this task prior to storage, you should only do it prior to display.
If you are trying to prevent XSS, you don't need to use htmlentities() - htmlspecialchars() is sufficient. htmlentities() is used only when trying to render a content from a character-encoding that is disparate from native encoding.
Both functions accept a character encoding as the third argument.

So, finally:

echo htmlspecialchars( $content, ENT_QUOTES, 'UTF-8' );

Where if you used ENT_NOQUOTES you could be vulnerable to some types of XSS.

Peter Bailey 2010-07-14 22:25:49

thanks a lot Peter, great information

Scarface 2010-07-14 22:26:34

ಠ_ಠ ಠ_ಠ ಠ_ಠ ಠ_ಠ ಠ_ಠ

Scarface 2010-07-14 22:26:50

-1 This doesn't stop all xss, quote marks are dangerous.

Rook 2010-07-14 22:30:09

As @The Rook said, you may want to escape quotes in some circumstances (e.g. html attributes, javascript function arguments).

Artefacto 2010-07-14 22:53:01

@Artefacto html ignores backslashes, its not like mysql. You have to encode them and your encode function is flawed. My -1 stands as long as your code is vulnerable.

Rook 2010-07-14 22:58:27

@The Rook hum? htmlspecialchars encodes them in html entitities, doesn't escape them with backslashes.

Artefacto 2010-07-14 23:12:28

@The Rook Ah sorry, when I wrote "escape" I meant "encode".

Artefacto 2010-07-14 23:13:40

@The Rook - quote marks are only dangerous if you're writing user-into into the attribute of another HTML element. So using `ENT_NOQUOTES` vs `ENT_COMPAT` vs `ENT_QUOTES` is really more of a context-relevant *choice* than a "this one is always right" type of option. I just happened to pick `ENT_NOQUOTES` for this example (completely arbitrarily) and I find it disappointing that out of all the information in my answer, that is what you focused on, and voted with. Also, this is *my* answer, not Artefacto's.

Peter Bailey 2010-07-15 04:01:10

I don't care if your vote stays. It's not my position, place, or right to talk you out of it. I'm just saying it's not *always* vulnerable. If you really feel *that* strongly about it - edit it. This is a wiki-like site after all.

Peter Bailey 2010-07-15 04:05:18

ansaurus

tags:

views:

answers:

preventing htmlentities from destroying utf8 characters ಠ_ಠ

related questions