Tutorial :Minimum requirements for escaping HTML output



Question:

What are the characters that are required and suffice when escaping user-generated content before output? (in other words: what are the characters web developers should escape when outputting text that previously came from an untrusted, anonymous source?)


Solution:1

When echoing to a page, you should encode

  • '&' (ampersand) becomes '&'
  • '"' (double quote) becomes '"'
  • ''' (single quote) becomes '''
  • '<' (less than) becomes '&lt;'
  • '>' (greater than) becomes '&gt;'

From PHP's htmlspecialchars() docs.

Note that the context also matters.

You'll also need to take the character set into account.


Solution:2

I think that escaping the < > & " ' symbols should be enough for any scenario.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »