Working with the car sales website Autotrader and they do not output html symbols. Instead they don't allow the use symbols by converting them to their entities and only outputting that.
For some reason they don't seem to feel its necessary to decode the entities for output.
This leads me to another question about my own website.
I am using HTMLPurifier to safely save and output user input.
This converts all symbols and < etc to their entities.
What is the correct way to output html entities but as their proper symbols in PHP?
I have been using html_entity_decode() which works. But it has occurred to me that this might in fact literally change the characters back and there for allow XSS etc attacks again.
How can i PHP echo a string that contains entities but display the symbols correctly and safely?
Do not decode, send the string with entities directly to the HTML output.
The HTML entities will be shown correctly by the user's browser. When you output from PHP
echo "Hello kitty!<script>steal_her_password();</script>";
then the user will correctly see
Hello kitty!<script>steal_her_password();</script>
but if you decode this string first, then the user will see only
Hello kitty!
plus her password will be stolen.