Hướng dẫn what is htmlentities ()?
I have seen a lot of conflicting answers about this. Many people love to quote that php functions alone will not protect you from xss. Show Nội dung chính
Nội dung chính
What XSS exactly can make it through htmlspecialchars and what can make it through htmlentities? I understand the difference between the functions but not the different levels of xss protection you are left with. Could anyone explain? asked Sep 2, 2010 at 1:30 1 htmlspecialchars() will NOT protect you against UTF-7 XSS exploits, that still plague Internet Explorer, even in IE 9: http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/ For instance:
You should always use htmlentities and very rarely use htmlspecialchars when sanitizing user input. ALso, you should always strip tags before. And for really important and secure sites, you should NEVER trust strip_tags(). Use HTMLPurifier for PHP. answered Sep 2, 2010 at 1:47 Theodore R. SmithTheodore R. Smith 20.9k12 gold badges60 silver badges89 bronze badges 10 If PHP's
then Please note that these functions should not be used for output of values into JavaScript or CSS, because it would be possible to enter characters that enable the JavaScript or CSS to be escaped and put your site at risk. Please see the XSS Prevention Cheat Sheet on how to appropriately handle these situations. SherylHohman 15k16 gold badges83 silver badges88 bronze badges answered Jan 1, 2014 at 17:50 SilverlightFoxSilverlightFox 31.3k11 gold badges74 silver badges143 bronze badges I'm not sure if you have found the answer you were looking for, but, I am also looking for an HTML cleaner. I have an application I am building and want to be able to take HTML code, possibly even Javascript, or other languages and put them into a MySQL DB without causing issues nor allowing for XSS issues. I've found HTML Purifier and it appears to be the most developed and still maintained tool for cleaning up user submitted information on a PHP system. The page linked is their compairison page which can yield reasoning as to why their's or another tool could be useful. Hope this helps! answered Dec 19, 2012 at 15:32 You can't sanitize all type of XSS with Nội dung chính
You have to sanitize the different type of XSS with their own sanitization method.
Attack vector: This type of XSS can be sanitized using Solution:
Attack vector: htmlspecialchars Document This function will not prevent those vectors because they haven't any HTML special character. To prevent such attacks, you need to validate input as a URL. Solution:
Attack vector: in some cases, we can easily quote input and prevent attack by sanitizing it using Solution:
Always quote variables when it placed inside a HTML attribute and do a proper sanitization. ❮ PHP String Reference Nội dung chính
ExampleConvert the predefined characters "<" (less than) and ">" (greater than) to HTML entities: $str = "This is some bold
text."; The HTML output of the code above will be (View Source):
This is some <b>bold</b> text. The browser output of the code above will be: This is some bold text. Try it Yourself » Definition and UsageThe htmlspecialchars() function converts some predefined characters to HTML entities. The predefined characters are:
Tip: To convert special HTML entities back to characters, use the htmlspecialchars_decode() function. Syntaxhtmlspecialchars(string,flags,character-set,double_encode) Parameter Values
Technical Details
More ExamplesExampleConvert some predefined characters to HTML entities: $str = "Jane & 'Tarzan'"; The HTML output of the code above will be (View Source):
Jane & 'Tarzan' Jane & 'Tarzan' Jane & 'Tarzan' The browser output of the code above will be: Jane & 'Tarzan' Try it Yourself » ExampleConvert double quotes to HTML entities:
$str = 'I love "PHP".'; The HTML output of the code above will be (View Source):
I love "PHP". The browser output of the code above will be: I love "PHP". Try it Yourself » ❮ PHP String Reference What does Htmlspecialchars return?The htmlspecialchars() function returns the converted string. What's the difference between HTML entities () and htmlspecialchars ()?Difference between htmlentities() and htmlspecialchars() function: The only difference between these function is that htmlspecialchars() function convert the special characters to HTML entities whereas htmlentities() function convert all applicable characters to HTML entities. Does Htmlspecialchars prevent XSS?Using htmlspecialchars() function – The htmlspecialchars() function converts special characters to HTML entities. For a majority of web-apps, we can use this method and this is one of the most popular methods to prevent XSS. This process is also known as HTML Escaping. What is use of HTML entities in PHP?Definition and Usage The htmlentities() function converts characters to HTML entities. Tip: To convert HTML entities back to characters, use the html_entity_decode() function. Tip: Use the get_html_translation_table() function to return the translation table used by htmlentities(). |