htmlentities is badly designed
Published: Mon, 26 Nov 2007 10:10:51 GMT
Updated: Sat, 22 Mar 2025 15:38:07 GMT
When someone uses htmlentities I've seen it time and time again that they expect that it filters variables from all XSS. This is wrong of course because the function requires a second parameter ENT_QUOTES which correctly replaces quote characters. Some developers aren't even aware that quotes can lead to XSS injection.
This leads me to my point, by default htmlentities should filter quotes and if the developer wishes to turn this functionality off they can using the second parameter.
Here's the code example for anyone using htmlenitites:-
<pre lang="php"> <?php htmlentities($variable, ENT_QUOTES); ?> </pre>In the past I've also made this mistake by assuming that the function takes quotes into account, not now though I've learned :)