Which PHP function is suited to escape HTML for usage in <iframe srcdoc="???">?
I found two candidates: htmlspecialchars() and htmlentities(). Which one should be used to allow any possible HTML code to be escaped properly?
Asked
Active
Viewed 2,333 times
2
Denees
- 9,100
- 13
- 47
- 76
Silicomancer
- 8,604
- 10
- 63
- 130
-
did u read manual?... – user1844933 Mar 31 '14 at 06:23
-
You should be using the `htmlspecialchars()` as `htmlentities()` is a pretty _overkill_ compared to the former. – Shankar Narayana Damodaran Mar 31 '14 at 06:24
-
Did you try to google .. http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars – Andy897 Mar 31 '14 at 06:24
-
Of course I did. And I see the difference. But I did not understand if htmlspecialchars() is sufficient for that special application or if htmlentities() is necessary (and why). – Silicomancer Mar 31 '14 at 06:30
1 Answers
6
htmlspecialchars() does everything you need it too. htmlentities() is for special use cases, like Chinese characters, where you may want to escape them, even though it is not 100% required. htmlspecialchars() seems to be sufficient to protect you from any type of XSS.
Bardi Harborow
- 1,803
- 1
- 28
- 41