Hello,
Context: I am outputing data that has already been checked as being only alphanum before being inserted in the db. I have checked it with a regex. Is it necessary to use htmlentities() in that case? Is it the same in javascript? (if you answer it here, that will save the js forum a rubbish thread of mine ;))
Hello
I guess, that by alphanum you mean A-Z a-z 0-9. There is no HTML tag which consists only from alphanum characters, so the answer is - No you don’t need to use htmlentities().
Yes, it is the same in JavaScript.
If you are absolutely sure the data contains only alphanum chars, then no you don’t need to use htmlentities because it is coming from a “trusted source”.
You face a problem though, it is one thing filtering and sanitizing data, maybe escaping it for your database, but how do you reliably notify anyone else (which might well be you in a few weeks or months time when you come back to this code) that the contents of tableA.FieldX don’t need to be escaped?
Do you name the field clean_FieldX?
Do you leave a comment somewhere?
If it is one field in 20 which does not need to be escaped, then why risk it?
If your application takes only one value coming from an unknown source and mixes it with 19 others coming from your own systems, then depending on a) the type/size of the field, b) how rigorous your sanitization process is (and how well it is tested) then you may decide you don’t need to escape in this instance.
The rule is escape output, only break it if you are certain you need to.