From: "Jordi Canals" <[EMAIL PROTECTED]> > John Holmes wrote: > > >> $uservar = htmlspecialchars(strip_tags($uservar)); > > > > You don't need to use strip_tags _and_ htmlspecialchars()... unless you > > want strip_tags to get rid of such malicious and deadly content such as > > <grin> and <wow>. Just use htmlspecialchars(). > > Well, my idea was to apply both: I do not want to get any tag in the > user input and prevent showing the html tags in the later output. For > that I've applied strip_tags() > > To apply htmlspecialchars() after that Is done to convert double quotes, > and ampersand to html entities. Not appliying it has two efects: Strings > with quotes does not show correct in input boxes. Strings with > ampersands do not pass the W3C validator. And just to convert lt and gt > signs when used alones like ... 5 > 2. > > Just that are my reasons to apply both: Security and get a clean string.
There's no added security by using strip_tags and you're just removing content that the user wanted to include. I guess it depends upon what this text is. If you apply htmlspecialchars() to a string that contains HTML, Javascript code, etc, the code will not be evaluated, so there is no security risk. I don't know what the purpose of the text your recieving is, but if I entered "Use an <img> tag for that" and you stripped out <img>, it would suck. If you just applied htmlspecialchars(), then when you redisplayed my text, either in regular HTML or in a text box, then you'd see exactly what I entered. The <img> text would not be evaluated as HTML and no actual image box would be shown. If you can't tell, I _hate_ the strip_tags function as it needlessly removes content and the "allowable_tags" gives a false sense of security. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
