Will htmlentities avoid all XSS in php? — PHP Programming Language

You are here: Will htmlentities avoid all XSS in php? « PHP Programming Language « IT news, forums, messages

Posted by Erwin Moller on 01/24/08 11:05

Hi all,

Question: If I use htmlentities($orginalString,ENT_QUOTES) everywhere I
output anything to the browser that originated from userinput, will an
XSS attack be possible?

I think not, but I found a lot of different ways to XSS related on the
net (like DNS rebinding: http://en.wikipedia.org/wiki/DNS_rebinding).
As far as I can see DNS-rebinding is useless as long as the JavaScript
will not be executed.

Is htmlentities enough?
Should I also use the third parameter for htmlentities (charset)?
What do you do to protect your sites against XSS?

Regards,
Erwin Moller

Navigation:

Next in forum: Re: Fopen failure
Prev in forum: Fopen failure
Thread view: Will htmlentities avoid all XSS in php?

[Reply to this message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация