Okay now, let's be sensible and scientific here. This is complete
bollocks.
@
Jcart (and by extension
ole):
The given link is on some wiki, (which I personally find in no way authoritative) and the last change to it was made in Dec 2006. Moreover, the changes regarding html* functions were made in Dec 2005. Even more over, the text refers some "
rumours" that they may not work, but doesn't provide
any details on what is broken. This is, to say the least, silly. Their code examples regarding use of html*() on another page is
insecure. In short, this resource does not cover even the basic requirements for taking it seriously.
@
Hockey: I understand almost nothing of what you said, but since it doesn't say that you need all three params to the function and do it on all data instead of hacking some check with regexps, then ... err ... it must be wrong
----
As for htmlentities() vs htmlspecialchars() -- it doesn't matter from security point of view which one you'll use, both will handle the html syntax characters. The former will also work when some things in your input string cannot be represented correctly, while the latter will produce garbage. Since that is a design choice, and not a security choice, it is up to the coder to decide if he wants a bug or not. At least he won't have a security hole
