Title: htmlentities function to avoid xss injection attacks
Last modified: August 20, 2016

---

# htmlentities function to avoid xss injection attacks

 *  [Simone](https://wordpress.org/support/users/simonttz/)
 * (@simonttz)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/htmlentities-function-to-avoid-xss-injection-attacks/)
 * I am doing a site for a client, a very security oriented client, and they told
   me I need to do the following:
 * > You will need to do the encode on the server-side… In PHP, you can use the 
   > htmlentities() function to encode or escape non-alphanumeric characters, i.
   > e.
   >  $clean_email = htmlentiities($_POST[’email’);
 * I am trying to secure a contact form with the typical Name, Email, Message.
 * Can anyone help me with this? What code and where do I need to add it? (Fucntions.
   php?) thanks!
 * -Simone

Viewing 3 replies - 1 through 3 (of 3 total)

 *  [linux4me2](https://wordpress.org/support/users/linux4me2/)
 * (@linux4me2)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/htmlentities-function-to-avoid-xss-injection-attacks/#post-3239582)
 * That’s a little old-fashioned. Maybe the server you’re on is using an old version
   of PHP? These days, you sanitize a submitted email address using:
    `$clean_email
   = filter_input(INPUT_POST, 'dirty_email', FILTER_SANITIZE_EMAIL);` where “dirty_email”
   is the name of the form field that is submitted by POST. There is a corresponding
   function for GET. You would put it wherever your form-handling code is; i.e.,
   where the code is that receives the user-submitted data and before you do anything
   with the data.
 * My question is, why are you doing this when there are so many good form plug-
   ins out there that will add features and decrease your development time, like
   [Fast Secure Contact Form](http://www.fastsecurecontactform.com/), for example?
   There are a bunch of them.
 *  Thread Starter [Simone](https://wordpress.org/support/users/simonttz/)
 * (@simonttz)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/htmlentities-function-to-avoid-xss-injection-attacks/#post-3239593)
 * Good point.. Thanks, you’re a life saver
 * PS – I was using the default contact form from a theme
 *  [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * (@mickeyroush)
 * [13 years, 5 months ago](https://wordpress.org/support/topic/htmlentities-function-to-avoid-xss-injection-attacks/#post-3239643)
 * WordPress has it’s own built in function for that. If your theme is not properly
   coding this, you might want to contact them.
 * [http://codex.wordpress.org/Function_Reference/esc_attr](http://codex.wordpress.org/Function_Reference/esc_attr)

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘htmlentities function to avoid xss injection attacks’ is closed to new
replies.

## Tags

 * [HTMLEntities](https://wordpress.org/support/topic-tag/htmlentities/)
 * [php](https://wordpress.org/support/topic-tag/php/)
 * [xss](https://wordpress.org/support/topic-tag/xss/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 3 replies
 * 3 participants
 * Last reply from: [MickeyRoush](https://wordpress.org/support/users/mickeyroush/)
 * Last activity: [13 years, 5 months ago](https://wordpress.org/support/topic/htmlentities-function-to-avoid-xss-injection-attacks/#post-3239643)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics