When would you use htmlentities?
HTMLENTITIES disallows users to run malicious code in HTML.
The htmlentities function takes a string and returns the same string with HTML converted into HTML entities.
Syntax:htmlentities(string,quotestyle,character-set)
String – String to be converted.
Quotestyle - Optional parameter that defines how to encode single and double quotes.
Character-set – Optional parameter that specifies the character set.
When would you use htmlentities?
When the text is submitted by the users, the text may contain html specific characters like <, > etc. Care should be taken not to leave any security holes open for any malicious users to exploit. If the user submitted text is allowed to view, the need of the function ‘htmlentities()’ is to be considered for preventing running html code and scripts which may harm the site visitors.
The ‘htmlentities()’ functions receives a string and returns the same string with HTML converted entities. For example, the string ‘<script>’ would be converted to ‘<script;>’. The <and> are the html entities and they are converted by using <and>.
Example: $userInput = “This site could be hacked!
<script type='text/javascript'>
window.location = 'http://www.mysite.com/'
</script>'";
$userInputEntities = htmlentities($userInput);
