|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Nik Cubrilovic (nik
nik.com.au)Date: Mon Mar 11 2002 - 10:17:59 CST
In short, no
----------test.php---------
<html>
<head><title>test</title></head>
<body>
<?
$test = "javascript:alert('hi')";
print "<img src=\"" . htmlentities($test) . "\">";
?>
</body>
</html>
---------end test.php-------
will still execute the script on the client side. The function(s) do
filter special characters, but do not fully prevent cross-site scripting.
-Nik Cubrilovic
On Mon, 11 Mar 2002, Steve Sobol wrote:
> Hello folks,
>
> Using PHP, if I have a text string I want to display, is it enough to use
> htmlentities() or htmlspecialchars()
> to encode potentially dangerous characters, or do I need to take further
> precautions?
>
> http://www.php.net/manual/en/function.htmlentities.php
>
> http://www.php.net/manual/en/function.htmlspecialchars.php
>
>
>
>
> --
> JustThe.net LLC - Steve "Web Dude" Sobol, CTO ICQ: 56972932/WebDude216
> website: http://JustThe.net email: sjsobolJustThe.net phone: 216.619.2NET
> postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet: ZX-2
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]