Home/ Questions/Q 928127
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T19:57:38+00:00

I want to filter my output to make it safer from Cross site scripting

  • 0

I want to filter my output to make it safer from Cross site scripting (XSS) attacks so I am filtering output with htmlentities. The problem is, I am trying to make my application utf8 compatible so when I enter something like ಠ_ಠ I would like it to be maintained when retrieved from the database. Is there a simple solution to achieve this? Thanks in advance for any advice.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Three things

    1. HTML sanitization is an output escaping task, not input filtering. You should not do this task prior to storage, you should only do it prior to display.
    2. If you are trying to prevent XSS, you don’t need to use htmlentities()htmlspecialchars() is sufficient. htmlentities() is used only when trying to render a content from a character-encoding that is disparate from native encoding.
    3. Both functions accept a character encoding as the third argument.

    So, finally:

    echo htmlspecialchars( $content, ENT_QUOTES, 'UTF-8' );

    Where if you used ENT_NOQUOTES you could be vulnerable to some types of XSS.

    • 0