You are right that htmlentities doesn’t sanitize except to encode things for display in html, but I mean to echo the user input in the html. (I’m not putting this user input into a database, I should have said that.)
Is there another specific PHP sanitizing filter you could recommended here? A use case would be a simple program that asks, “What is your name?” and then appends it to the page with jquery using the code path specified above. Before I added htmlentities, < script > would have gotten through, so I am trying to secure the entire code path, but I don’t have a lot of security knowledge.
I didn’t know about CSP headers so I have a lot of reading to do there. Thanks for pointing it out to me.
(In all my posts < script > without the spaces prevents the rest of the text from loading, so consider it without the spaces.)