[thelist] PHP - htmlentities

Peter Duchateau peter at duo.be
Thu Aug 1 06:09:00 CDT 2002


I would also use htmlentities() when I display fields selected from the
database and the fields may contain characters like é, ë, etc.

on 01-08-2002 13:04, Simon Willison at simon at incutio.com wrote:

> At 12:46 01/08/2002 +0200, Peter Duchateau wrote:
>> Should I use htmlentities() on all strings I want to display ?
>
> No, but you should use it on any strings that may have HTML in where you do
> not want the HTML to be rendered by the browser - generally anything that
> has come from a site visitor and has not been "checked" by you personally.
> This is important for security reasons - allow people to add HTML to your
> site could enable malicious users to add cookie-stealing-javascripts (or
> nasty pornographic pop up windows or a whole host of other unpleasant things).
>
> Regards,
>
> Simon Willison
> http://www.bath.ac.uk/~cs1spw/blog/
>




More information about the thelist mailing list