I have a form where users can fill in a news article. This contains

Question

0

Asked: May 24, 20262026-05-24T04:12:25+00:00 2026-05-24T04:12:25+00:00

I have a form where users can fill in a news article. This contains

0

I have a form where users can fill in a news article. This contains a title and body.
For each page to have a unique title, I’m using the user input (title) in the <title>-tags:

<title>$userinput</title>

I’m wondering – is it possible for the user to perform an XSS-attack this way? Should I escape this user input using htmlspecialchars?

The same also applies to <meta>-tags. I’m using user input for the description:

<meta name="description" content="$userinput" />

Can a user perform XSS-attacks in <title> and <meta>-tags?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-24T04:12:27+00:00

Editorial Team

2026-05-24T04:12:27+00:00Added an answer on May 24, 2026 at 4:12 am

Should I escape this user input using htmlspecialchars?

Yes. Location doesn’t matter. All user input should be escaped.

References:

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a form where users can fill in a news article. This contains

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply