Home › Forums › Back End › Try out my first PHP web app! › Reply To: Try out my first PHP web app!
August 26, 2014 at 10:12 am
#180698
__Participant
So is the method in place right now incorrect?
When you have text that is supposed to be “plain text,” it must be encoded as html entities by the time it gets to the page.
Say you had a post titled “All About The <H1>Headings</H1>”. If you use htmlentities, it will look like this:
All About The & lt;H1& gt;Headings& lt;/H1& gt;
But when viewed in the browser it will look like plain text. If you decode that, then when it gets to the browser, it will look like this:
All About The
Headings
This is exactly what XSS attacks are about: confusing what is supposed to be data (content) with what is supposed to be instructions (HTML markup).