Should I use both striptags() and htmlspecialchars() to prevent XSS?

Does this depend on if the input is going to be printed to the user? In my case I need to return the input back to the user (comments and bio).


Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

htmlspecialchars() is enough to prevent XSS.

Strip tags removes tags but not special characters like " or ', so if you use strip_tags() you also have to use htmlspecialchars().

If you want users’ comments to be displayed like they typed them, don’t use strip_tags, use htmlspecialchars() only.

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply