When the text is submitted by the users, the text may contain html specific characters like <, > etc. Care should be taken not to leave any security holes open for any malicious users to exploit. If the user submitted text is allowed to view, the need of the function ‘htmlentities()’ is to be considered for preventing running html code and scripts which may harm the site visitors.
The ‘htmlentities()’ functions receives a string and returns the same string with HTML converted entities. For example, the string ‘<script>’ would be converted to ‘<script;>’. The <and > are the html entities and they are converted by using < and >.Ex:
$userInput = “This site could be hacked!
window.location = 'http://www.mysite.com/'
$userInputEntities = htmlentities($userInput);
Posted in: PHP