When is it appropriate to escape html entities?

Question

In my server-side application every output is passed through htmlentities function. In that way I can assure that my application is xss safe.

But why the input can't diplay the htmlentities correctly? For example, this line of code :

  <input class="form-control" placeholder="name"    id="name" />
name.value = '&lt;script&gt;'

NOTE : &lt;script&gt; = htmlentities("<script>"); &lt;script&gt; = htmlentities("<script>");

this code display the word <script> inside the bar. but i expected to see <script> . right ?

Answer 1

Wrong. htmlentities() does the job of converting characters to HTML entities.

Take the following example and see for yourself.

<input type="text" value="<?php echo htmlentities("<script>"); ?>" />
<input class="form-control" placeholder="name"    id="name" />
<input class="form-control" placeholder="name"    id="address" />
<script type="text/javascript">
    document.getElementById("name").value = "<?php echo htmlentities("<script>"); ?>".replace(/&amp;/g,'&').replace(/&lt;/g,'<').replace(/&gt;/g,'>');
    document.getElementById("address").value = "<?php echo htmlentities("<script>"); ?>";
</script>

The difference lies in that you are using javascript to update the value of html element and javascript just puts the escaped value on the box. The point is you have to unescape the escaped entities in your case.