Home/ Questions/Q 7158191
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T13:01:17+00:00

I understand it is useful to sanitize user input when you display it on

  • 0

I understand it is useful to sanitize user input when you display it on your site, using a function like htmlentities() in php. But would something like this present an XSS risk?

<input type="text" value="<?=user input drawn from the database?>" />

Would it be better to sanitize the input like this?

<input type="text" value="<?=htmlentities(user input drawn from the database)?>" />

I should specify that I’m only talking about the security risk of input value attributes, I know I still have to sanitize user input if I want to display it elsewhere on the site.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I could enter text like this,

    escape!" /><script>alert("I escaped, because you didn't escape!");</script><img src="

    which would give you the following output: (Formatted for readability)

    <input type="text" value="escape!" />
<script>
    alert("I escaped, because you didn't escape!");
</script>
<img src="" />

    You are just concatenating strings, not manipulating the DOM, so you still need to watch out for quotes.

    • 0