Published 18 years 6 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read
When someone uses htmlentities I've seen it time and time again that they expect that it filters variables from all XSS. This is wrong of course because the function requires a second parameter ENT_QUOTES which correctly replaces quote characters. Some developers aren't even aware that quotes can lead to XSS injection.
This leads me to my point, by default htmlentities should filter quotes and if the developer wishes to turn this functionality off they can using the second parameter.
Here's the code example for anyone using htmlenitites:-
<pre lang="php"> <?php htmlentities($variable, ENT_QUOTES); ?> </pre>In the past I've also made this mistake by assuming that the function takes quotes into account, not now though I've learned :)