Writing code using HTML-escaping to avoid cross site scripting attack

Question

I am a PHP newbie. This is part of a gallery code. I recently read about SQL injection and cross site scripting attack, I am trying to avoid that by html escaping on dynamically produced data. I am not sure if I am heading in the right direction here. I created an array with URL parameters then a function for HTML escaping. Can you critique this code and let me know what I am doing wrong please?

$parameters_new = array('name' => $name,'pcaption' => $caption_array[$new]);

function html_escape($input, $encoding)
{
    return htmlentities($input, ENT_QUOTES, $encoding);
}

$result_final .= '<div class="limage"><table><tr><td><table class="image"><tr><td><a href="' . html_escape('gallery.php?' . http_build_query($parameters_new), 'UTF-8') . '">
<img src="'. $img_dir . '/' .$photo_filename.'"  alt=" ' . $photo_keywords . '"></a>
<div class="caption">'.$photo_caption.'</div><div class="excerpt">'.$photo_description.'</div></td></tr></table></td></tr></table><div class="underline"></div>;

This question appears to be off-topic. It belongs on http://codereview.stackexchange.com/ — Phil, Sep 03 '14 at 09:03
Agreed on appropriateness to SO. However, well done for actually thinking about security in the first place - too many people don't. — Adrian Wragg, Sep 03 '14 at 09:04
Some good reading over here if you're interested ~ https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) — Phil, Sep 03 '14 at 09:06
I think that the function `http_build_query($parameters_new)` will encode all special chars to a %xx encoding, rendering the custom function useless. **EDIT** It will, check here: http://sandbox.onlinephpfunctions.com/code/51c7c43ca83b255482bf05edc5fb51e83777dd1d — Ismael Miguel, Sep 03 '14 at 09:51

score 1 · Answer 1 · edited May 23 '17 at 12:21

1

I recommend you that use a template system or you create your own.

Template systems, like Smarty, could scape your vars

You could see this question: Why should I use templating system in PHP?

edited May 23 '17 at 12:21

Community

1
1

answered Sep 03 '14 at 10:41

Avara

1,753
2
17
24

I really have a lots to learn here. Thank you for giving me a place to start Avara... – yathrakaaran Sep 03 '14 at 17:24

Writing code using HTML-escaping to avoid cross site scripting attack

1 Answers1