[UPHPU] i18n and php

Fred Larsen fred at bitwyze.com
Wed May 18 15:23:39 MDT 2005


On May 18, 2005, at 2:31 PM, Dave Smith wrote:

> For this reason I use htmlspecialchars() instead of htmlentities(). It
> doesn't have the charset problems mentioned.
>
>

According to the php manual;

http://us2.php.net/manual/en/function.htmlentities.php

"This function (htmlentities) is identical to htmlspecialchars() in  
all ways, except
with htmlentities(), all characters which have HTML character entity  
equivalents
  are translated into these entities."

So htmlspecialchars could produce the same vulnerability caused by  
inconsistant
character encoding.  Also, htmlentities does a more though job of  
translating
potentially malicious html entities.

>> Also remember if you are displaying user input and are using
>> htmlentities to foil cross site scripting attacks (as you should)
>> remember to make the third argument, charset, match the encoding you
>> supplied in the page header.
>>
>> There are some attacks that will exploit the difference in the page
>> encoding and the htmlentities output encoding.  So always make sure
>> they match.
>>
>> On May 18, 2005, at 12:57 PM, Dave Smith wrote:
>>
>>
>>> To answer the question at hand: PHP 4 (not sure about 5) has no
>>> support
>>> for unicode strings. This means you have to use UTF-8, which most
>>> browsers
>>> *do* support. Just put something like this at the top of every page:
>>>
>>> <snip>
>>>
>>> @header( "Content-type: text/html; charset=\"UTF-8\"" );
>>> // XML version and encoding for well-behaved browsers
>>> echo "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n";
>>> ?>
>>>
>
>
> _______________________________________________
>
> UPHPU mailing list
> UPHPU at uphpu.org
> http://uphpu.org/mailman/listinfo/uphpu
> IRC: #uphpu on irc.freenode.net
>




More information about the UPHPU mailing list