Possible duplicate:
PHP htmlentities () at the input before inserting the database, not at the output
For a PHP application that is simply trying to protect itself against XSS-like ones, at what stage should the htmlentities() function be called? Should it be called on the user's initial input or on each page showing where this data is displayed?
If I use htmlentities() on user input, I end up storing a little more data in the database. However, in the end, I save the processor cycles, because I only need to perform the conversion on the input and never again perform the subsequent output of this data.
I should note that I do not see any predictable case of ever storing embedded HTML data in my application, so using htmlentities() intended solely to protect XSS. In the unlikely event that I ever need raw HTML, I can just call html_entity_decode() to reverse htmlentities() . In addition, it saves me from forgetting to call htmlentities() to render the page and accidentally paste the XSS exploit into my application.
I played with the idea of ββusing the XHP extension on Facebook, but parsing XML is pretty much overhead, more than what I like in my application.
Summary: Should I use htmlentities() for input or output? What is the general, generally accepted approach to this situation?
source share