Not all eligible encoding using htmlentities

Question

I am using PHP 5.3.6 and and using HTML entities to encode some POST data. However, parenthesis and % are not encoding to their equivalent entity.

We have been told by the web security team that these characters must be encoded as they could potentially be used in a XSS attack.

Data being posted:

paren ( ) & % won't encode

htmlentities($_POST['first_name'], ENT_QUOTES, "UTF-8");

output:

paren ( ) & % won't encode

As you can see the ( ) % are untouched.

Thanks in advance.

-EDIT- This is what I ended up using which did the job. Thanks.

function stripcustomchars($encode_chars) {  
    $searches = array('%','(',')');  
    $replacements = array("%","(",")");  
    $encoded = str_replace($searches, $replacements,$encode_chars);  
    return $encoded;
}

Answer 1

We have been told by the web security team that these characters must be encoded as they could potentially be used in a XSS attack.

If you are inserting the data into HTML (as opposed to, for instance, JavaScript) then that simply isn't true for anything other than <, >, &, " and ' (although even those are possibly overkill, it depends on context). htmlspecialchars is sufficient for most cases (although watch out for old IE and its UTF-7 exploit).

If you are inserting the data into something other than HTML (such as a URI or JavaScript) then you need to use an encoding routine for the target language, not one for HTML. (Although you might need to use HTML encoding afterwards if you then insert it into HTML (e.g. User data into JavaScript into an HTML script element)).

Answer 2

Parentheses and the percent sign are not special characters in HTML, they have no special meaning. As such, htmlentities doesn't touch them. If you still want to encode them regardless, you need to manually str_replace them. But again, it's pointless to do so in a pure HTML context.