Menu
How and what exactly do I use it for? Is this really all I need to prevent XSS attacks? And could someone please explain the difference between htmlspecialchars,mysql_real_escape_string, htmlpurifier, and other forms of injection defense. Does HTMLPurifier defend against JS attacks?
321
asked Jan 29 '26 13:01
In a typical use-case, you do not want to allow any HTML. In a case like that, you can strip markup, etc., but just doing that won't protect you against XSS (or SQL injection, etc.).
In cases where you don't want HTML, you would use htmlspecialchars or such to escape output to prevent XSS. In a such case you would also use SQL escaping to prevent SQL injection.
It's generally easier to simply strip all markup and always use htmlspecialchars.
When you absolutely have to allow HTML, this is the case what HTMLPurifier is meant for.
156
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
