Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 940
  • Last Modified:

striptags vs. htmlentities

I am having trouble understanding why I would need striptags if I already use htmlenties.

Doesn't htmlentities render tags such as script, php, html etc. harmless?

What additional benefit would strip tags provide?

Thanks.
0
kadin
Asked:
kadin
  • 4
  • 3
  • 2
2 Solutions
 
lexlythiusCommented:
They serve different purposes.

htmlentities encode XML/HTML metacharacters such as <, >, &, etc so they can be safely included inside, say, a <TEXTAREA></TEXTAREA> element.

strip_tags is better used when you want to store text that will be rendered:
in plain-text context, and the HTML tags will clutter the output with garbage, or
in HTML context, but you want to prevent that stored text will be rendered as HTML, tipically to prevent final users from posting HTML and scripts on a web page

Anyway, keep in mind that strip_tags can be easily fooled.
0
 
lexlythiusCommented:
Forgot to state that strip_tags deletes the HTML tags as well as any text within them
0
 
Sudaraka WijesingheWeb Application ProgrammerCommented:
striptags only remove the HTML tags, even after you remove the tags, you might end up with text containing symbols that could mess up the HTML code like < or > in a sentence. Also if you have unicode characters or some thing outside the standard printable ASCII range, you will need to use htmlenties.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
kadinAuthor Commented:
Thanks for your response. I am still a little foggy on how I should go about this.

I am receiving user input such as a paragraph in a textarea, inputting it into a database and displaying it back on a web page.

If strip_tags can be easily fooled, maybe I should forget about that function.

Does htmlentities stop javascript, php or any kind of xss?

I am using pdo and prepared statements.
0
 
Sudaraka WijesingheWeb Application ProgrammerCommented:
If you are getting the HTML from user and displaying it on the page, it's best to strip out any javascript tags using regular expression. Something like /<script[^>]*>(.*)</script>/i maybe? (not tested)

If you want to display the content with the formatting user entered, you should not use htmlentities.
0
 
kadinAuthor Commented:
I hope I am not causing confusion.

I am just trying to receive text from the user, not html. If the user inputs html such as <script>, I thought htmlentities would change < and > to entities, thus rendering a script tag useless.

If that is so, then I would not need a regex like you described above correct?
0
 
Sudaraka WijesingheWeb Application ProgrammerCommented:
Yes, htmlentities will make any script tags display as text, so any code will no execute with in them.

But it is safer to just filter out any javascript codes that user might enter. For example let's say one day you desided to transfer that content using AJAX or some method like that. Then if the correct encoding was not used there is a chance that javascript code might execute.
0
 
kadinAuthor Commented:
Thanks so much for your help. I think I am starting to understand this a little better.
0
 
Sudaraka WijesingheWeb Application ProgrammerCommented:
Glad to help. Thanks for the points.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now