Is it possible to XSS with htmlentities enabled?

[PugJr]

Mostly what the subject said. My script is using mysql real escape string and htmlentities to any content that is viewed among others. My question as my topic title said, is it possible to still XSS within those conditions?

[thebadbad]

As long as htmlentities() also converts special HTML characters, the attacker won't be able to render any code on your pages. So no, an XSS attack wouldn't be possible under those conditions.

[Bjom]

you can still produce loopholes - it depends on how you use the htmlentities. So post your code and we can review it.

[PugJr]

 

 $postcontent = protection($postcontent); 

 

That being how the content is protected. The function is:

 

 function protection($content){

$content = htmlentities($content);

$content = mysql_real_escape_string($content);

return $content;

} 

 

 

Anything I should do to protection() to make it more secure?

[Bjom]

that applies both functions. yes.

 

can't see and say anything more than before. it depends when you apply the function and what you do with the $postcontent variable later. *shrug*

[PugJr]

Well after that would then be updating or inserting that content into the database. Thats the only thing I'll do with it afterwords. I only use it right before adding it to the database.

[roopurt18]

You call mysql_real_escape_string() before inserting into the database.

 

You call htmlentities() before displaying database content in the browser.

 

I do not recommend calling htmlentities() before inserting to the database.

[Bjom]

that was one point, why I asked the OP to be more specific. There might be more trouble. But since you are not willing to provide any information and seem to think this is a quiz show....do not expect any answers. You're on your own.