Comments on: htmlentities is badly designed

By: open source

open source — Thu, 29 Nov 2007 20:49:14 +0000

Manual…

By: Lars Strojny

Lars Strojny — Tue, 27 Nov 2007 14:41:54 +0000

As Michelangelo van Dam and Ed Finkler pointed out, you should also specify the charset. But specifying it does not help, as you first need to enforce the input charset to get rid of UTF-7 attacks and stuff. Something like this would work:
$input = iconv($_GET['input'], ‘UTF-8′, ‘UTF-8′);
$input = htmlentities($input, ENT_QUOTES, $input);

By: Gareth Heyes

Gareth Heyes — Tue, 27 Nov 2007 12:12:01 +0000

Sure whitelist filters and the like would be a better approach. Still my main point was the misunderstanding of htmlenitites and htmlspecialchars or any other function which requires the second parameter to escape quotes.

Many developers think that this is being done and it clearly isn’t.

By: Jim Manico

Jim Manico — Tue, 27 Nov 2007 11:58:21 +0000

I don’t think we want to be using any of these functions in a day-2-day fashion. We should be rolling these functions into platform level easier-to-user functions that all programmers on our teams must use. Drupal security is poor at best overall, but I like their direction of their php input validation functions: http://api.drupal.org/?q=api/group/validation/5 and the like.

By: phpnewuser

phpnewuser — Tue, 27 Nov 2007 03:38:09 +0000

if I use htmlentities just to decode specialchars like áéíóúñÑ, i wonder if its wrong.

What would you use instead ?

By: Ed Finkler

Ed Finkler — Tue, 27 Nov 2007 00:01:04 +0000

And that was already in the first comment. Sorry about that… long day.

By: Ed Finkler

Ed Finkler — Mon, 26 Nov 2007 23:56:21 +0000

Smarter people than me have suggested that one should also pass the $charset param to htmlentities or htmlspecialchars.

http://shiflett.org/blog/2007/may/character-encoding-and-xss

I agree with the supposition that the PHP escaping functions require too much work to be “safe,” though.

By: Gareth Heyes

Gareth Heyes — Mon, 26 Nov 2007 22:33:33 +0000

Good information to know Felix thanks

By: Felix Zaslavskiy

Felix Zaslavskiy — Mon, 26 Nov 2007 22:25:51 +0000

I looked into the htmlentities implementation a while back and its implemented pretty inefficiently so you got to watch out you will be calling it thousands of times in a loop or encoding the same input multiple times. htmlspecialchars is probably much faster.

By: Gareth Heyes

Gareth Heyes — Mon, 26 Nov 2007 13:33:20 +0000

Yep that’s the point I was trying to make in my last comment