Do I need to use htmlentities() in html tag attributes to prevent XSS attacks

Question

So suppose I have this piece of code:

<div class="name" id="<?php echo $userId; ?>">      
    <p>User Name: <?php echo $username; ?></p>
    <p>Last Activity: <?php echo getTime($datetime); ?></p>
    <p>Date: <?php echo $date; ?></p>
</div>

In this, do I have to write htmlentities inside the div id attribute too?

For example, like this:

<div class="name" id="<?php echo htmlentities($userId); ?>" >...</div>

Also, do I need to do this:

<p>Last Activity: <?php echo htmlentities(getTime($datetime)); ?></p>

Thanks for the help!

P.S.:datetime is a function that I have created

Is $userId a user entered field or an autonumber coming from the db? — Matt, Jun 15 '17 at 03:40

score 1 · Accepted Answer · answered Jun 15 '17 at 03:52

It depends on if the user can manipulate those variables or not. If they can prior to them being echoed out, then you should sanitize those variables (using htmlentities() and others as well). If those variables are hard coded in so users cannot manipulate them, then you are fine.

Basically, can the user alter the variable $userID in any way prior to echo $userID being called? Then, yes, you should include htmlentites and probably some other things as well for security purposes.

Here is a link that may help. Be sure to read the comments for the answers as well.

Do I need to use htmlentities() in html tag attributes to prevent XSS attacks

1 Answers1