Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's not just you. They don't use htmlentities at all.


htmlentities() might help to protect you from SQL injection, but it won't do a damn thing against XSS attacks.


I'll admit that I'm no PHP expert, but I was under the impression that htmlentities prevented XSS by converting all special html characters to their equivalent html entity.

If HTML entities works properly, and it is used properly, shouldn't it prevent XSS since an attacker who inputs something like <script>alert("xss")</script> would simply see the message displayed back to them instead of the browser actually executing it?


Hmm, yeah you're right. I'm not sure what I was thinking of.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: