PHP htmlentities Function

Whenever you allow your users to submit text to your website, you need to be careful that you don't leave
any security holes open for malicious users to exploit. If you are ever going to allow user submitted text to be
visible by the public you should consider using the htmlentities function to prevent them from running html code
and scripts that may be harmful to your visitors.

PHP - Converting HTML into Entities

The htmlentities function takes a string and returns the same string with HTML converted into HTML
entities. For example, the string "<script>" would be converted to "&lt;script&gt;".
By converting the < and > into entities, it prevents the browser from using it as an HTML element and it
prevents the code from running if you were to display some user's input on your website.
This may seem a little complicated, but if you think of the way a browser works, in separate stages, it
becomes a little easier. Let's look at the way the function htmlentities changes the data at three different levels:
in PHP, in raw HTML and in the web browser. The sample string is a bad script that will redirect visitors to the
malicious user's own website.

PHP Code:
// An imaginary article submission from a bad user
// it will redirect anyone to example.com if the code is run in a browser
$userInput = "I am going to hax0r your site, hahaha!
<script type='text/javascript'>
window.location = 'http://www.example.com/'
</script>'";

//Lets make it safer before we use it

$userInputEntities = htmlentities($userInput);

//Now we can display it

echo $userInputEntities;

The HTML output of the above script would be as follows:

Safe Raw HTML Code:

I am going to hax0r your site, hahaha!
&lt;script type='text/javascript'&gt;
window.location = 'http://www.example.com/'
&lt;/script&gt;'

If we had not used htmlentities to convert any HTML code into safe entities, this is what the raw HTML
code would be and it would have redirect a visitor to example.com.