php - Not all eligible encoding using htmlentities
157
I am using PHP 5.3.6 and and using HTML entities to encode some POST data. However, parenthesis and % are not encoding to their equivalent entity.
We have been told by the web security team that these characters must be encoded as they could potentially be used in a XSS attack.
Data being posted:
paren ( ) & % won't encode
htmlentities($_POST['first_name'], ENT_QUOTES, "UTF-8");
output:
paren ( ) & % won't encode
As you can see the ( ) % are untouched.
Thanks in advance.
-EDIT-
This is what I ended up using which did the job. Thanks.
function stripcustomchars($encode_chars) {
$searches = array('%','(',')');
$replacements = array("%","(",")");
$encoded = str_replace($searches, $replacements,$encode_chars);
return $encoded;
}
Answer
Solution:
If you are inserting the data into HTML (as opposed to, for instance, JavaScript) then that simply isn't true for anything other than
<,>,&,"and'(although even those are possibly overkill, it depends on context).htmlspecialcharsis sufficient for most cases (although watch out for old IE and its UTF-7 exploit).If you are inserting the data into something other than HTML (such as a URI or JavaScript) then you need to use an encoding routine for the target language, not one for HTML. (Although you might need to use HTML encoding afterwards if you then insert it into HTML (e.g. User data into JavaScript into an HTML script element)).
Answer
Solution:
Parentheses and the percent sign are not special characters in HTML, they have no special meaning. As such,
htmlentitiesdoesn't touch them. If you still want to encode them regardless, you need to manuallystr_replacethem. But again, it's pointless to do so in a pure HTML context.