Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I tried encoding my attack string in various ways but I am new and could not figure it out, mainly because of the ' '. Without it, i could do: http://localhost/index.php?type=text onkeyup=javascript:alert(0)
Thanks for the reply. You mean adding that line of code directly into the script, right? I am looking more at the client's side and the way he would inject code via the URL (which is then retrieved via $GET), because strip tags will escape the single quotes. I tested the function you recommended and it does the work given that the attribute is properly enclosed with ' ', correct?
It is safe because I can't break the context as long as htmlspecialchars() encode '>'. Is this correct or there are some ways of bypassing it given that it is inside a commentary?
It is safe because I can't break the context as long as htmlspecialchars() encode '>'.
Yes. Some Asian languages/encodings could require you to specify encoding explicitly. This is not needed for common European encodings, including utf8, latin-1, cp1251, cp1252 and most others.