Reputation: 9919
Do I still need to use htmlentities if I'm using HTMLPurifier?
I've been 'sprinkling'
htmlentities($user_input, ENT_QUOTES, 'UTF-8')
throughout my views, everywhere I echo data that a user had the chance to enter in my app.
This is very tedious and I'm wondering if using HTMLPurifier in my controllers would be a safe substitute to using htmlentities in every echo on the view.
I've noticed that HTMLPurifier alone will, for example, try to close an open <div> instead of removing it, so if some smartass entered his name as Johnny<div> and I echo it in my view, it breaks my entire layout.
But if instead I use htmlentities alone I get
Johnny<div>
and my layout is preserved.
So I'm wondering if this is an issue with HTMLPurifier config or if the best practice is to use it in tandem with htmlentities.
I understand HTMLPurifier has other functions re compliance and valid HTML, but I'm mostly concerned with XSS.
What do you think?
Upvotes: 3
Views: 1748
Answers (3)
Reputation: 437684
If you are concerned about XSS then use htmlspecialchars (there's no reason to use the full-blown htmlentities for that) and you are golden:
echo htmlspecialchars($user_input);
HTMLPurifier is only meaningful if you want to allow some HTML capability while still preventing XSS. But as any other piece of code, there's the possibility that it might not work as advertised at some point. Personally, I wouldn't go there.
Update:
Yes, htmlspecialchars does support additional flags (including ENT_QUOTES). However, ENT_QUOTES is only needed if:
- you are outputting the value of an HTML attribute and
- you have enclosed the value inside single quotes
So for example, you would not need ENT_QUOTES here:
<p><?php echo htmlspecialchars($input); ?></p>
or here:
<p id="<?php echo htmlspecialchars($input); ?>"></p>
You would need it here:
<p id='<?php echo htmlspecialchars($input, ENT_QUOTES); ?>'></p>
Upvotes: 9
Reputation: 9218
If you want the user to be able to write HTML, then HTMLPurifier seems to be a good solution -- but from what you're writing, it seems you don't want and need the user to enter HTML, and in that case, it's no solution at all (as you mention, it allows e.g. a div element).
HtmlEntities, on the other hand, escapes the user input, so it's the way to go for most XSS and blocking HTML. However, note that htmlEntities will not protect you against all XSS attacks. For example, if you use single quotes around HTML attributes and allow user input to be inserted into attribute values, then a malicious user can attack you by passing a ' single quote character, thus escaping your quote. To avoid this, you need to use the ENT_QUOTES option. Others at PHP.net have mentioned that special care also needs to be given to double dashes within a comment.
Upvotes: 1
Reputation: 145512
Different purposes. HP is for cleaning HTML, so that users can actually submit HTML which is to be used as actual HTML.
If you expect text, and don't want to use it as HTML, then generally htmlspecialchars. It's particular suited for text strings that might end up in tag attributes somehow.
If you want to display only text, then you should even prefer the combo:
htmlspecialchars(strip_tags($input), ENT_QUOTES, "UTF-8")
(Then obviosuly HP wouldn't make sense. strip_tags() is in fact by itself sufficient for XSS prevention, as long as that content is output in a text node only, not in any attributes.)
Upvotes: 2
Related Questions
- htmlspecialchars vs htmlentities when concerned with XSS
- htmlentities() vs. htmlspecialchars()
- Do I need to use htmlentities() in html tag attributes to prevent XSS attacks
- Is HTMLPurifier really that bullet-proof?
- Is it redundant to use htmlspecialchars for input then use htmlentities on output?
- Adding a new attribute to HtmlPurifiers whitelist?
- Is htmlentities() bullet proof?
- HTMLPurifier Not working?
- Is having both mod_security and htmlpurifier an overkill?
- advantages from htmlpurifier instead of regex filtering