Htmlentities and HTML Email MIME Type Security Question

Hello,

I have a form that when submitted generates an HTML email that looks just like the form with all of the user supplied POST data present in the form.

My concern is javascript being placed into the form and the javascript running when the email is viewed. Here’s what I’m doing to prevent that:

function cleanTheHTML($cleanThisHTML) {
		if (is_array($cleanThisHTML)) {
			$cleanPost = array();
			foreach ($cleanThisHTML as $k => $v) {
				$cleanPost[$k] = htmlentities($v, ENT_QUOTES, 'UTF-8');
			}
		} else {
			$cleanPost = htmlentities($cleanThisHTML, ENT_QUOTES, 'UTF-8');
		}
		return $cleanPost;
	}

$cleanPost = cleanTheHTML($_POST);

So far in my testing, this works well.

My question is, the PHP code that generates the HTML email states this:

$customHeaders .= 'Content-type: text/html; charset=iso-8859-1' . "\\r\
";

I’m guessing I should change iso-8859-1 to UTF-8 to match the htmlentities I’m using? Or should I change the htmlentities to iso-8859-1 ?

This data is not being stored in a database. It is going directly from the HTML form to an HTML email via PHP.

Thanks,
Noob