[thelist] PHP - htmlentities
Simon Willison
simon at incutio.com
Thu Aug 1 09:18:01 CDT 2002
At 09:05 01/08/2002 -0400, Jackson Yee wrote:
> > No, but you should use it on any strings that may have HTML in where you do
> > not want the HTML to be rendered by the browser - generally anything that
> > has come from a site visitor and has not been "checked" by you personally.
> > This is important for security reasons - allow people to add HTML to your
> > site could enable malicious users to add cookie-stealing-javascripts (or
> > nasty pornographic pop up windows or a whole host of other unpleasant
>things).
>
>Definitely a good word of advice!
>
>I'd also note that if you want to allow selective tags to be usable, you can
>pass the string to the strip_tags() function. This is a great resource when
>you allow users to input HTML with <p>, <b>, <i>, and so forth for
>appearance's sake but don't want any <script> or <img> tags thrown in.
The only problem with this approach is that ultra-crafty users can still
insert javascript, by using onmouseover="" and other event based attributes
on the tags that you allow. I know IE is happy to execute event based tags
on pretty much any element you care to mention so using strip_tags with
exceptions can still leave you open to attack.
More information about the thelist
mailing list