htmlentities is badly designed

By Gareth Heyes (@hackvertor)

Published 18 years 5 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read

When someone uses htmlentities I've seen it time and time again that they expect that it filters variables from all XSS. This is wrong of course because the function requires a second parameter ENT_QUOTES which correctly replaces quote characters. Some developers aren't even aware that quotes can lead to XSS injection.

This leads me to my point, by default htmlentities should filter quotes and if the developer wishes to turn this functionality off they can using the second parameter.

Here's the code example for anyone using htmlenitites:-

In the past I've also made this mistake by assuming that the function takes quotes into account, not now though I've learned :)

← Back to articles

htmlentities is badly designed

By Gareth Heyes (@hackvertor)

Published 18 years 5 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read

← Back to articles

This leads me to my point, by default htmlentities should filter quotes and if the developer wishes to turn this functionality off they can using the second parameter.

Here's the code example for anyone using htmlenitites:-

In the past I've also made this mistake by assuming that the function takes quotes into account, not now though I've learned :)

← Back to articles