Reputation: 303
I have some user input in a website, and I don't want to allow HTML when outputting that input with PHP later.
I think that the only dangerous characters are <
, >
, /
(slash) and \
(backslash).
Am I right?
So, for example, if I replace <
with <
will it be enough to prevent HTML being output?
Upvotes: 3
Views: 165
Reputation: 72739
Simply use the builtin function htmlspecialchars()
and you will be good. Just note that you should also always add the encoding argument.
And example is:
echo htmlspecialchars($unsafeString, ENT_QUOTES, 'UTF-8');
Upvotes: 10