In short, no
----------test.php---------
<html>
<head><title>test</title></head>
<body>
<?
$test = "javascript:alert('hi')";
print "<img src=\"" . htmlentities($test) . "\">";
?>
</body>
</html>
---------end test.php-------
will still execute the script on the client side. The function(s) do
filter special characters, but do not fully prevent cross-site scripting.
-Nik Cubrilovic
On Mon, 11 Mar 2002, Steve Sobol wrote:
> Hello folks,
>
> Using PHP, if I have a text string I want to display, is it enough to use
> htmlentities() or htmlspecialchars()
> to encode potentially dangerous characters, or do I need to take further
> precautions?
>
> http://www.php.net/manual/en/function.htmlentities.php
>
> http://www.php.net/manual/en/function.htmlspecialchars.php
>
>
>
>
> --
> JustThe.net LLC - Steve "Web Dude" Sobol, CTO ICQ: 56972932/WebDude216
> website: http://JustThe.net email: [EMAIL PROTECTED] phone: 216.619.2NET
> postal: 5686 Davis Drive, Mentor On The Lake, OH 44060-2752 DalNet: ZX-2
>
