[thelist] PHP - htmlentities

Simon Willison simon at incutio.com
Thu Aug 1 06:05:01 CDT 2002


At 12:46 01/08/2002 +0200, Peter Duchateau wrote:
>Should I use htmlentities() on all strings I want to display ?

No, but you should use it on any strings that may have HTML in where you do
not want the HTML to be rendered by the browser - generally anything that
has come from a site visitor and has not been "checked" by you personally.
This is important for security reasons - allow people to add HTML to your
site could enable malicious users to add cookie-stealing-javascripts (or
nasty pornographic pop up windows or a whole host of other unpleasant things).

Regards,

Simon Willison
http://www.bath.ac.uk/~cs1spw/blog/





More information about the thelist mailing list