I read a great article about escaping data on output that went into great detail with one exception, it told you when you needed to escape output data but not what to use where.
The rules were
- If inserted between tags, you should escape
< > &
- If inserted inside an attribute you need to escape quotes too. So
< > & " '
- If it is inserted as a URL, then you also need to check the protocol scheme (to make sure it is not a javascript: URL)
The first two I understand and have solutions for.
So from a $_GET
variable with this logic it would be as follows
If inserted between tags:
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING);
echo 'Hi '. htmlspecialchars($name, ENT_NOQUOTES, 'UTF-8');
or
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING);
echo 'Hi '. htmlspecialchars($name, ENT_COMPAT, 'UTF-8');
If inserted inside an attribute:
<img src="<?php echo htmlspecialchars($img_path, ENT_COMPAT, 'UTF-8')">
If the first two are correct that leaves the third on the list and that one has me perplexed. A little help on this one?