What does htmlentities with ENT_QUOTES and UTF-8 do?

php xss encode html-entities

13,396

ENT_QUOTES is needed if the data is being substituted into an HTML attribute, e.g.

echo '<input type="text" value="' . htmlentities($string, ENT_QUOTES) . '">";

This ensures that quotes are encoded, so they won't terminate the value="..." attribute prematurely.

UTF-8 is necessary if your page uses UTF-8 charset, because the default is to use ISO-8859-1 encoding. These encodings need to match or the user will see strange characters.

13,396

Author by

Sameer Zahid

Updated on June 12, 2022

Comments

Sameer Zahid almost 2 years
I have always used simple htmlentities($_POST['string']); to clean data for any XSS attacks. Recently I have seen people use this:
```
htmlentities($_POST['string'], ENT_QUOTES, 'UTF-8');
```
What is the advantage or purpose of using that over just htmlentities().

Also don't know if it is relevant but I use meta UTF-8 always at the top of my pages.
Beat almost 11 years

The default has changed in PHP 5.4, now the default is UTF-8.
Barmar almost 11 years

In that case, the benefit of putting the charset in the call is that it will work the sae in all versions of PHP.
Sameer Zahid almost 11 years

So from what you said. I should always use this method: htmlentites with ENT_QUOTES and UTF-8. wherever I am echoing the string out. I mean if I use ENT_QUOTES on a string that is not part of an HTML attribute, there should be no problem?
Barmar almost 11 years

Correct. The only harm is that the HTML source will be a little harder to read, since it will be littered with " and '.
le_m over 8 years

ENT_QUOTES is NOT needed by default. The default ENT_COMPAT already takes care of double quotation marks. Only if you want to squeeze your output between single quotation marks, then you would need ENT_QUOTES. I would recommend to set ENT_QUOTES to be on the safe side, but this doesn't mean that a simple "htmlentities()" as seen by OP is unsafe.