Using htmlspecialchars() directly is difficult and often leaves your application open to more subtle attacks. Use a proper wrapper:
/**
* HTML-escapes a string so that it can safely be included in an HTML document
*
* @param string $unsafe_input the string which should be escaped
* @param string $encoding the character encoding of the input string
*
* @return string the escaped string
*/
function html_escape($unsafe_input, $encoding)
{
return htmlspecialchars($unsafe_input, ENT_QUOTES | ENT_SUBSTITUTE, $encoding);
}
Note that escaping is dependend on the character encoding, so you should have a constant or configuration value for the encoding of your HTML documents:
<?php
// UTF-8 is recommended for modern applications
const APP_HTML_ENCODING = 'UTF-8';
<?php
// require_once the functions and constants here
// unless your webserver already sets the encoding attribute in the Content-Type header, do it here
header('Content-Type: text/html;charset=utf-8');
$test_input = '"></div><script>alert("XSS")</script><div data-dummy="';
?>
<!DOCTYPE HTML>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Page title</title>
</head>
<body>
<!-- testing the escape function -->
<div data-test="<?= html_escape($test_input, APP_HTML_ENCODING) ?>"></div>
</body>
</html>
