[thelist] PHP - htmlentities
Simon Willison
simon at incutio.com
Thu Aug 1 06:05:01 CDT 2002
At 12:46 01/08/2002 +0200, Peter Duchateau wrote:
>Should I use htmlentities() on all strings I want to display ?
No, but you should use it on any strings that may have HTML in where you do
not want the HTML to be rendered by the browser - generally anything that
has come from a site visitor and has not been "checked" by you personally.
This is important for security reasons - allow people to add HTML to your
site could enable malicious users to add cookie-stealing-javascripts (or
nasty pornographic pop up windows or a whole host of other unpleasant things).
Regards,
Simon Willison
http://www.bath.ac.uk/~cs1spw/blog/
More information about the thelist
mailing list