Page 1 of 1

strip_tags or htmlspecialchars?

Posted: Sun Oct 30, 2005 9:26 pm
by Sequalit
when dealing with a user loging into your system, should i use

strip_tags

to get rid of the html commands?

or should i convert the html into nonharmful stuff with

htmlspecialchars

which is more secure from an XSS attack or from any type of hacking attempt.?

Posted: Mon Oct 31, 2005 12:10 am
by AGISB
If you want to get rid of the html you need to use strip_tags as this removes the tags. htmlspecialchars will only convert certain chars into their code like '<' to '<'

However please don't use just strip_tags to make sure all html is gone. It can be abused as you can read in the comments of http://www.php.net/manual/en/function.strip-tags.php

Posted: Mon Oct 31, 2005 8:29 am
by feyd
strip_tags is also a very dumb function. If you must remove the HTML, try using the "smarter strip_tags" found in the Useful Posts thread (link in signature.)

Posted: Tue Nov 01, 2005 6:04 am
by Maugrim_The_Reaper
After using the "smarter" functions feyd mentioned - you can also use htmlentities(). It's change any remaining malformed tags (plus XSS) into literal entity values, i.e. the remaining html will get printed to screen but not as part of the html source.