kadin
asked on
striptags vs. htmlentities
I am having trouble understanding why I would need striptags if I already use htmlenties.
Doesn't htmlentities render tags such as script, php, html etc. harmless?
What additional benefit would strip tags provide?
Thanks.
Doesn't htmlentities render tags such as script, php, html etc. harmless?
What additional benefit would strip tags provide?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forgot to state that strip_tags deletes the HTML tags as well as any text within them
striptags only remove the HTML tags, even after you remove the tags, you might end up with text containing symbols that could mess up the HTML code like < or > in a sentence. Also if you have unicode characters or some thing outside the standard printable ASCII range, you will need to use htmlenties.
ASKER
Thanks for your response. I am still a little foggy on how I should go about this.
I am receiving user input such as a paragraph in a textarea, inputting it into a database and displaying it back on a web page.
If strip_tags can be easily fooled, maybe I should forget about that function.
Does htmlentities stop javascript, php or any kind of xss?
I am using pdo and prepared statements.
I am receiving user input such as a paragraph in a textarea, inputting it into a database and displaying it back on a web page.
If strip_tags can be easily fooled, maybe I should forget about that function.
Does htmlentities stop javascript, php or any kind of xss?
I am using pdo and prepared statements.
If you are getting the HTML from user and displaying it on the page, it's best to strip out any javascript tags using regular expression. Something like /<script[^>]*>(.*)</script >/i maybe? (not tested)
If you want to display the content with the formatting user entered, you should not use htmlentities.
If you want to display the content with the formatting user entered, you should not use htmlentities.
ASKER
I hope I am not causing confusion.
I am just trying to receive text from the user, not html. If the user inputs html such as <script>, I thought htmlentities would change < and > to entities, thus rendering a script tag useless.
If that is so, then I would not need a regex like you described above correct?
I am just trying to receive text from the user, not html. If the user inputs html such as <script>, I thought htmlentities would change < and > to entities, thus rendering a script tag useless.
If that is so, then I would not need a regex like you described above correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks so much for your help. I think I am starting to understand this a little better.
Glad to help. Thanks for the points.