I was asking myself about the security of using the php function htmlentities() against XSS attacks, and maybe of related functions such as htmlspecialchars.

thanks a lot :)

You will need to explicitly specify proper encoding (e.g: utf-8), Chris had a post on how to inject code even calling htmlentities without appropriate encoding.

http://shiflett.org/blog/2005/dec/google-xss-example

It is not bullet-proof, it never saves you 100%. You must remember that when it comes to security, the developer is responsible for it. Languages do provide good deal of security functions and more so it is up to developer how they secure their site whether they use whitelist approach or blacklist approach. If htmlentities was all, frameworks like codeigniter, kohana and more would not have come up with their own great security functions.

The most important thing is to sanitalize and filter any input coming from the user.

No, functions like htmlspecialchars and htmlentities do not protect against all cases of Cross-Site Scripting.

Cases in which these function won’t help are:

• The exploit data does not reach the server (DOM-based XSS).
• The exploit data is not interpreted in an HTML context only and the special characters encoded by these functions are either not required or not the only ones that are special in the corresponding context.

Especially the latter reason is often missed. There are many examples in the OWASP’s XSS Prevention Cheat Sheet for where an injection can happen in an HTML document. But not all require any of the HTML special characters to inject and execute JavaScript code.