The functions of the Htmlspecialchars () function are as follows:
The Htmlspecialchars () function converts pre-defined characters to HTML entities.
The predefined characters are:
- & (and number) becomes &
- "(double quotes) becomes"
- ' (single quote) become '
- < (less than) becomes <
- > (greater than) becomes >
Its syntax is as follows:
Htmlspecialchars (String,flags,character-set,double_encode)
The second parameter, flags, requires important attention, and many developers are bypassed for not noticing that this parameter causes the use of the Htmlspecialchars () function to filter XSS. Because the flags parameter encodes the quotation marks as follows:
Types of Quotes available:
- Ent_compat-Default. Encodes only double quotes.
- Ent_quotes-encodes double and single quotation marks.
- Ent_noquotes-do not encode any quotation marks.
The default is to encode double quotes only! Only double quotes are encoded by default! By default, only double quotes are encoded ... Important thing to say three times!!! So look at the following code:
<?php $name = $_get["name"]; $name = Htmlspecialchars ($name); ? > <input type= ' text ' value= ' <?php echo $name?> ' >
Easy bypass: Add ent_quotes parameter:
<?php $name = $_get["name"]; $name = Htmlspecialchars ($name, ent_quotes); ? > <input type= ' text ' value= ' <?php echo $name?> ' >
Discovery cannot be bypassed: View Source code:
The single quotation marks have been converted.
Htmlspecialchars () function to filter XSS issues