Is htmlspecialchars()
a foolproof way of preventing any risk of an XSS
attack on HTML
element attributes?
For example, in this input element will the use of htmlspecialchars()
also encoding quotes ensure total safety?
Logically it would seem so as it would stop any string from breaking out of the context of the value attribute; or is there more that could be done?
<input type="text" value="<?php echo htmlspecialchars($dangerousString, ENT_QUOTES, 'UTF-8'); ?>"