David 10K
David 10K

Reputation: 303

What characters should be replaced to avoid HTML being output?

I have some user input in a website, and I don't want to allow HTML when outputting that input with PHP later.

I think that the only dangerous characters are <, >, /(slash) and \ (backslash).

Am I right?

So, for example, if I replace < with &#60; will it be enough to prevent HTML being output?

Upvotes: 3

Views: 165

Answers (1)

PeeHaa
PeeHaa

Reputation: 72739

Simply use the builtin function htmlspecialchars() and you will be good. Just note that you should also always add the encoding argument.

And example is:

echo htmlspecialchars($unsafeString, ENT_QUOTES, 'UTF-8');

Upvotes: 10

Related Questions