htmlentities is badly designed
Monday, 26 November 2007
When someone uses htmlentities I’ve seen it time and time again that they expect that it filters variables from all XSS. This is wrong of course because the function requires a second parameter ENT_QUOTES which correctly replaces quote characters. Some developers aren’t even aware that quotes can lead to XSS injection.
This leads me to my point, by default htmlentities should filter quotes and if the developer wishes to turn this functionality off they can using the second parameter.
Here’s the code example for anyone using htmlenitites:-
<?php htmlentities($variable, ENT_QUOTES); ?>
In the past I’ve also made this mistake by assuming that the function takes quotes into account, not now though I’ve learned