wikedstik

PHP site using htmlentities

Discussion created by wikedstik on Jun 8, 2016

I have a developer saying he is using htmlentities to convert <script> to basic html text, thus he isn't vulnerable to XSS scripting. Is this accurate information?

 

The htmlentities function takes a string and returns the same string with HTML converted into HTML entities. For example, the string "<script>" would be converted to "&lt;script&gt;".

  By converting the < and > into entities, it prevents the browser from using it as an HTML element and it prevents the code from running if you were to display some user's input on your website

Outcomes