htmlspecialchars()
does everything you need it too. htmlentities()
is for special use cases, like Chinese characters, where you may want to escape them, even though it is not 100% required. htmlspecialchars()
seems to be sufficient to protect you from any type of XSS.
Safe way to escape iframe srcdoc value in PHP?
题
Which PHP function is suited to escape HTML for usage in <iframe srcdoc="???">
?
I found two candidates: htmlspecialchars()
and htmlentities()
. Which one should be used to allow any possible HTML code to be escaped properly?
解决方案
不隶属于 StackOverflow