waynew Posted September 1, 2008 Share Posted September 1, 2008 Hey guys, I was reading around the other day when I came across this: A very common approach to circumvent XSS-cleaners is to use entities instead of plaintext, therefore the first thing we do is to remove does entities with their UTF-8 equivalent (we assume, the input is utf-8 here) They suggest using: $string = html_entity_decode($string, ENT_COMPAT, "UTF-8"); Does this mean that using htmlentities()/strip_tags() alone isn't going to stop everything? Link to comment https://forums.phpfreaks.com/topic/122199-xss/ Share on other sites More sharing options...
valtido Posted September 1, 2008 Share Posted September 1, 2008 if u think about it hacking is like a cats and mice chace those who hack always find a way to hack, those who have been hacked always find new ways to protect their data. my point is that it is safe but u cn never be 100% safe lol Link to comment https://forums.phpfreaks.com/topic/122199-xss/#findComment-630891 Share on other sites More sharing options...
waynew Posted September 1, 2008 Author Share Posted September 1, 2008 I know. There is always going to be someone who is better than you. But it's good to stay security-minded. Make your house safer than your neighbours. Link to comment https://forums.phpfreaks.com/topic/122199-xss/#findComment-630893 Share on other sites More sharing options...
waynew Posted September 1, 2008 Author Share Posted September 1, 2008 It's okay. I think htmlentities() will do the job. I've found instances where strip_tags( ) wasn't enough. Link to comment https://forums.phpfreaks.com/topic/122199-xss/#findComment-630897 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.