Gareth Heyes posted an "htmlentities is badly designed": http://www.thespanner.co.uk/2007/11/26/htmlentities-is-badly-designed/ on his blog
The general idea is that htmlentities will not be filtered by default parameters, resulting in xss and so on. descriptions in the php manual:
Htmlentities
(PHP 3, PHP 4, PHP 5)
Htmlentities -- Convert all applicable characters to HTML entities
Description
String htmlentities (string [, int quote_style [, string charset])
This function is identical to htmlspecialchars () in all ways, except T with htmlentities (), all characters which have HTML character entity equivalents are translated into these entities.
Like htmlspecialchars (), the optional second quote_style parameter lets you define what will be done with single and "double" quotes. It takes on one of three constants with the default being ENT_COMPAT:
Table 1. Available quote_style constants
Constant Name Description
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single quotes.
ENT_NOQUOTES Will leave both double and single quotes unconverted.
In htmlspecialchars:
& (Ampersand) becomes & amp;
"(Double quote) becomes & quot; when ENT_NOQUOTES is not set.
(Single quote) becomes & #039; only when ENT_QUOTES is set.
<(Less than) becomes & lt;
> (Greater than) becomes & gt;
Therefore, using htmlentities ($ variable, ENT_QUOTES) is safer than htmlentities ($ variable. however, htmlentities () is only a character processing function. In many cases, it may cause xss attacks, such as encoding: utf7, utf8...
Test:
<? Php
Echo htmlspecialchars ($ _ GET [url], ENT_QUOTES );
?>
Submit: url = % 2bADw-SCRIPT % 2bAD4-alert (document. cookie) % 2bADw-% 2 fSCRIPT % 2bAD4-
It is also possible to pass htmlentities when there are many two encoding cases.