What does htmlentities with ENT_QUOTES and UTF-8 do?
13,396
ENT_QUOTES
is needed if the data is being substituted into an HTML attribute, e.g.
echo '<input type="text" value="' . htmlentities($string, ENT_QUOTES) . '">";
This ensures that quotes are encoded, so they won't terminate the value="..."
attribute prematurely.
UTF-8
is necessary if your page uses UTF-8 charset, because the default is to use ISO-8859-1 encoding. These encodings need to match or the user will see strange characters.
Author by
Sameer Zahid
Updated on June 12, 2022Comments
-
Sameer Zahid almost 2 years
I have always used simple
htmlentities($_POST['string']);
to clean data for any XSS attacks. Recently I have seen people use this:htmlentities($_POST['string'], ENT_QUOTES, 'UTF-8');
What is the advantage or purpose of using that over just
htmlentities()
.Also don't know if it is relevant but I use meta UTF-8 always at the top of my pages.
-
Beat almost 11 yearsThe default has changed in PHP 5.4, now the default is UTF-8.
-
Barmar almost 11 yearsIn that case, the benefit of putting the charset in the call is that it will work the sae in all versions of PHP.
-
Sameer Zahid almost 11 yearsSo from what you said. I should always use this method: htmlentites with ENT_QUOTES and UTF-8. wherever I am echoing the string out. I mean if I use ENT_QUOTES on a string that is not part of an HTML attribute, there should be no problem?
-
Barmar almost 11 yearsCorrect. The only harm is that the HTML source will be a little harder to read, since it will be littered with
"
and'
. -
le_m over 8 yearsENT_QUOTES is NOT needed by default. The default ENT_COMPAT already takes care of double quotation marks. Only if you want to squeeze your output between single quotation marks, then you would need ENT_QUOTES. I would recommend to set ENT_QUOTES to be on the safe side, but this doesn't mean that a simple "htmlentities()" as seen by OP is unsafe.