What does htmlentities with ENT_QUOTES and UTF-8 do?

Question

I have always used simple htmlentities($_POST['string']); to clean data for any XSS attacks. Recently I have seen people use this:

htmlentities($_POST['string'], ENT_QUOTES, 'UTF-8');

What is the advantage or purpose of using that over just htmlentities().

Also don't know if it is relevant but I use meta UTF-8 always at the top of my pages.

Answer 1

The reason why people state the character encoding, and the entity quotes, is that

  the encapsulation characters ' and " are encoded (ENT_QUOTES) 

and 'UTF-8' encoding flag expressed as:
   htmlentities($_POST['string'], ENT_QUOTES, $encoding="UTF-8");
or
  htmlentities($_POST['string'], ENT_QUOTES, "UTF-8");

in the whole statement.

The main reason to express the character encoding in the filter is to maintain the frame reference of the input data. If the transmission encoding changed due to either a transmission interference, or malicious transmission packet alterations, the filter fills the missing data with zeros.

Answer 2

ENT_QUOTES is needed if the data is being substituted into an HTML attribute, e.g.

echo '<input type="text" value="' . htmlentities($string, ENT_QUOTES) . '">";

This ensures that quotes are encoded, so they won't terminate the value="..." attribute prematurely.

UTF-8 is necessary if your page uses UTF-8 charset, because the default is to use ISO-8859-1 encoding. These encodings need to match or the user will see strange characters.