Comments on: htmlentities is badly designed http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/ Javascript blog with messed up syntax inside Thu, 26 Jan 2012 01:38:34 +0000 hourly 1 By: Mtutnid http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-1844 Mtutnid Thu, 14 Oct 2010 14:42:02 +0000 http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-1844 By specifying UYF-8 you are exposing your website to an overflow vulnerability. :D:D funny. You have to upgrade to the newest version of PHP to prevent this. By specifying UYF-8 you are exposing your website to an overflow vulnerability. :D :D funny. You have to upgrade to the newest version of PHP to prevent this.

]]> By: Jeremy Glover http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-1481 Jeremy Glover Thu, 19 Mar 2009 15:26:31 +0000 http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-1481 Great catch. Just did a find and replace in my code on 72 instances. Great catch. Just did a find and replace in my code on 72 instances.

]]> By: open source http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-953 open source Thu, 29 Nov 2007 20:49:14 +0000 http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-953 Manual... ;) Manual… ;)

]]> By: Lars Strojny http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-936 Lars Strojny Tue, 27 Nov 2007 14:41:54 +0000 http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-936 As Michelangelo van Dam and Ed Finkler pointed out, you should also specify the charset. But specifying it does not help, as you first need to enforce the input charset to get rid of UTF-7 attacks and stuff. Something like this would work: $input = iconv($_GET['input'], 'UTF-8', 'UTF-8'); $input = htmlentities($input, ENT_QUOTES, $input); As Michelangelo van Dam and Ed Finkler pointed out, you should also specify the charset. But specifying it does not help, as you first need to enforce the input charset to get rid of UTF-7 attacks and stuff. Something like this would work:
$input = iconv($_GET['input'], ‘UTF-8′, ‘UTF-8′);
$input = htmlentities($input, ENT_QUOTES, $input);

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-935 Gareth Heyes Tue, 27 Nov 2007 12:12:01 +0000 http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-935 Sure whitelist filters and the like would be a better approach. Still my main point was the misunderstanding of htmlenitites and htmlspecialchars or any other function which requires the second parameter to escape quotes. Many developers think that this is being done and it clearly isn't. Sure whitelist filters and the like would be a better approach. Still my main point was the misunderstanding of htmlenitites and htmlspecialchars or any other function which requires the second parameter to escape quotes.

Many developers think that this is being done and it clearly isn’t.

]]> By: Jim Manico http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-934 Jim Manico Tue, 27 Nov 2007 11:58:21 +0000 http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-934 I don't think we want to be using any of these functions in a day-2-day fashion. We should be rolling these functions into platform level easier-to-user functions that all programmers on our teams must use. Drupal security is poor at best overall, but I like their direction of their php input validation functions: http://api.drupal.org/?q=api/group/validation/5 and the like. I don’t think we want to be using any of these functions in a day-2-day fashion. We should be rolling these functions into platform level easier-to-user functions that all programmers on our teams must use. Drupal security is poor at best overall, but I like their direction of their php input validation functions: http://api.drupal.org/?q=api/group/validation/5 and the like.

]]> By: phpnewuser http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-933 phpnewuser Tue, 27 Nov 2007 03:38:09 +0000 http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-933 if I use htmlentities just to decode specialchars like áéíóúñÑ, i wonder if its wrong. What would you use instead ? if I use htmlentities just to decode specialchars like áéíóúñÑ, i wonder if its wrong.

What would you use instead ?

]]> By: Ed Finkler http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-932 Ed Finkler Tue, 27 Nov 2007 00:01:04 +0000 http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-932 And that was already in the first comment. Sorry about that... long day. 8) And that was already in the first comment. Sorry about that… long day. 8)

]]> By: Ed Finkler http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-931 Ed Finkler Mon, 26 Nov 2007 23:56:21 +0000 http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-931 Smarter people than me have suggested that one should also pass the $charset param to htmlentities or htmlspecialchars. http://shiflett.org/blog/2007/may/character-encoding-and-xss I agree with the supposition that the PHP escaping functions require too much work to be "safe," though. Smarter people than me have suggested that one should also pass the $charset param to htmlentities or htmlspecialchars.

http://shiflett.org/blog/2007/may/character-encoding-and-xss

I agree with the supposition that the PHP escaping functions require too much work to be “safe,” though.

]]> By: Gareth Heyes http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-930 Gareth Heyes Mon, 26 Nov 2007 22:33:33 +0000 http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/#comment-930 Good information to know Felix thanks Good information to know Felix thanks

]]>