[thelist] PHP - htmlentities
Peter Duchateau
peter at duo.be
Thu Aug 1 06:09:00 CDT 2002
I would also use htmlentities() when I display fields selected from the
database and the fields may contain characters like é, ë, etc.
on 01-08-2002 13:04, Simon Willison at simon at incutio.com wrote:
> At 12:46 01/08/2002 +0200, Peter Duchateau wrote:
>> Should I use htmlentities() on all strings I want to display ?
>
> No, but you should use it on any strings that may have HTML in where you do
> not want the HTML to be rendered by the browser - generally anything that
> has come from a site visitor and has not been "checked" by you personally.
> This is important for security reasons - allow people to add HTML to your
> site could enable malicious users to add cookie-stealing-javascripts (or
> nasty pornographic pop up windows or a whole host of other unpleasant things).
>
> Regards,
>
> Simon Willison
> http://www.bath.ac.uk/~cs1spw/blog/
>
More information about the thelist
mailing list