Dangerous Raw HTML Code:: When Would You Use Htmlentities?

Download as pdf or txt
Download as pdf or txt
You are on page 1of 1

Dangerous Raw HTML Code:

I am going to hax0r your site, hahaha!


<script type='text/javascript'>
window.location = 'http://www.example.com/'
</script>'

Those two HTML code examples are what you would see if you were to view source on the web page.
However, if you were just viewing the output normally in your browser you would see the following.

Safe Display:
I am going to hax0r your site, hahaha! <script type='text/javascript'> window.location =
'http://www.example.com/' </script>'

Dangerous Display:
You'd see whatever spammer site that the malicious user had sent you to. Probably some
herbal supplement site or weight loss pills would be displayed.

When Would You Use htmlentities?

Anytime you allow users to submit content to your website, that other visitors can see, you should
consider removing the ability to let them use HTML. Although this will remove a lot of cool things that your
users can do, like making heavily customized content, it will prevent your site from a lot of common attacks.
With some custom coding you can just remove specific tags from running, but that is beyond the scope of this
lesson.
Just remember, that when allowing users to submit content to your site you are also giving them access to
your website. Be sure you take the proper precautions.

You might also like