[thelist] PHP - htmlentities

Jackson Yee jyee at vt.edu
Thu Aug 1 08:06:00 CDT 2002


----- Original Message -----
From: "Simon Willison" <simon at incutio.com>
To: <thelist at lists.evolt.org>; <thelist at lists.evolt.org>
Sent: Thursday, August 01, 2002 07:04
Subject: Re: [thelist] PHP - htmlentities

> No, but you should use it on any strings that may have HTML in where you do
> not want the HTML to be rendered by the browser - generally anything that
> has come from a site visitor and has not been "checked" by you personally.
> This is important for security reasons - allow people to add HTML to your
> site could enable malicious users to add cookie-stealing-javascripts (or
> nasty pornographic pop up windows or a whole host of other unpleasant
things).

Definitely a good word of advice!

I'd also note that if you want to allow selective tags to be usable, you can
pass the string to the strip_tags() function.  This is a great resource when
you allow users to input HTML with <p>, <b>, <i>, and so forth for
appearance's sake but don't want any <script> or <img> tags thrown in.

Regards,
Jackson Yee
jyee at vt.edu
http://www.jacksonyee.com/




More information about the thelist mailing list