HTML Encoding by Language: Python, JS, PHP, Ruby, Java, and Go
How to HTML-encode strings in every major language: html.escape in Python, he in JS, htmlspecialchars in PHP, CGI.escapeHTML in Ruby, and more.
Published:
Tags: encoding, html, developer-tools
HTML Encoding by Language: Python, JS, PHP, Ruby, Java, and Go Every backend language has a function for HTML escaping. The functions differ in which characters they cover, their default behavior, and the library they live in. Getting this wrong — using the wrong function, the wrong flags, or the wrong encoding order — leads to XSS vulnerabilities or double-encoding bugs. This article shows side-by-side code for HTML escaping in six languages, covering the five critical characters that must always be encoded. The Five Characters That Must Be Encoded Any compliant HTML escaping function must handle: | Character | Entity | Risk if unencoded | |-----------|--------|-------------------| | | | Broken entity references, injection entry point | | | | Tag injection, XSS | | | | Tag injection | |…
All articles · theproductguy.in