i store user input from WYSIWYG to SQL database,
I need to protect from XSS attack and found solution
Since am using WYSIWYG and found this solution
My problem is which is best way to protect from XSS do i need to use HTML Purifier
or i can use this simple method;
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
The best method depends on your use-case. If you use htmlspecialchars(), then if your user enters bold text in the WYSIWYG, it will show up on your page either as <b>bold text</b> or <strong>bold text</strong>. That's probably not what you want.
If you actually want to output the formatted text from your WYSIWYG, you need to sanitise the HTML input. HTML Purifier is one good option for that, and quite easy to set up.
In short: It depends on if you actually want to output formatted text or not. If you don't, htmlspecialchars() is easier and consumes less resources. Since you're letting users use a WYSIWYG, I assume you do, though, and in that case htmlspecialchars() will ruin what you're even trying to achieve.
