0

Possible Duplicate:
What do the ENT_HTML5, ENT_HTML401, … modifiers on html_entity_decode do?

When using htmlspecialchars to escape output that goes to an html attribute, I am wondering what flag is correct.

it seems that ENT_QUOTES would be safer than ENT_COMPAT because it cannot fail if someone accidently adds some code with single quoted attributes, but so why does ENT_COMPAT exist? Is there a disadvantage to ENT_QUOTES?

Also what are the security implications of using ENT_HTML5, ENT_XHTML or ENT_HTML401 or not setting one at all?

Community
  • 1
  • 1
  • 1
    Similar questions were asked here very often, I suppose. ) So instead of an answer I'll just suggest reading [this article](http://blog.astrumfutura.com/2012/03/a-hitchhikers-guide-to-cross-site-scripting-xss-in-php-part-1-how-not-to-use-htmlspecialchars-for-output-escaping/). ) – raina77ow Jul 07 '12 at 19:30
  • Thanks alot. I'm sorry if I missed the duplicates. I did search. The article is hard to read (it's like a pot of worms), but it (and the rest of that blog) definitely is the most useful resource I have found sofar. However claims like 'you can ignore the existence of these flags' without any justification are problematic. –  Jul 07 '12 at 20:26

0 Answers0