MyBB Community Forums

MyBB Community Forums > 1.8 Support > General Support > Preventing XSS when echoing in PHP?
Full Version: Preventing XSS when echoing in PHP?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Achilles

2017-02-17, 02:29 AM
Does MyBB have a built in function to prevent XSS problems when echoing? Or should I just use:

echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

Lunorian

2017-02-17, 05:03 AM
(2017-02-17, 02:29 AM)Achilles Wrote: [ -> ]Does MyBB have a built in function to prevent XSS problems when echoing? Or should I just use:

echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

When echoing a variable use:
echo htmlspecialchars($string);

You shouldn't need anything else Smile

Nathan Malcolm

2017-02-17, 06:19 AM
The custom function htmlspecialchars_uni() is used throughout MyBB.

Achilles

2017-02-17, 09:36 PM
(2017-02-17, 06:19 AM)NathanĀ Malcolm Wrote: [ -> ]The custom function htmlspecialchars_uni() is used throughout MyBB.

I was looking this up, that will allow for unicode while standard htmlspecialchars is UTF-8 or UTF-16 (I think). Can anyone tell me what the advantage is for unicode? Haven't found a simple answer besides the fact that unicode creates a unique symbol for every character.

fizz

2017-02-18, 05:26 PM
This thread has a pretty descriptive answer. I believe though the tl;dr is that it's essentially so that your board can display multiple languages more accurately/easily, if anyone knows more though feel free to correct me.
MyBB Community Forums > 1.8 Support > General Support > Preventing XSS when echoing in PHP?