why not using strip_tags() to prevent xss attack instead of htmlspecialchars()?

If I need to display $_GET values in templates, why not using strip_tags() to prevent xss attack instead of htmlspecialchars()?

Solution

Because strip_tags doesn't fix every possible abuse case. True, it fixes the worst offenders, but there are other cases, e.g. when inserting values back into <input> tags yourself, where the quotes can be broken out of.

Consider: <input type="text" value="my string" />

If my string comes from some other data source that isn't XSS-protected, it could conceivable contain something like: "><script ....

which can use the original closing > of the input tag - and strip_tags may or may not catch that case. I seem to remember it looks for < followed by > which wouldn't be found in the above string.

How to prevent Rust's Url::parse from auto-encoding and instead throw error?
How can I sanitize user input with PHP?
Is it possible for a XSS attack to obtain HttpOnly cookies?
Simulate xss in angular
Laravel safe way to output text with line breaks
How to set a BeEF hook to a page
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Determining XSS Attack Vulnerabilities
How can I make sure that the array values are htmlencoded when using print_r and var_dump?
Content Security Policy: allowing all external images?
Post raw HTML data via AJAX to server with ModSecurity
Is <textarea> .value Cross-Site Scripting (XSS) safe?
Service Stack - Security XSS Query following pentest
HTML Sanitizer API - Angular (mXSS)
dangerouslySetInnerHTML not working with a <script>
How could I escape a value in custom JSP tag handler?
Assigning window.open causes a DOMException
How to safely run user-supplied Javascript code inside the browser?
HTML-Entity escaping to prevent XSS
AEM Rich Text Source Editor Anchor Tag Stripping href formed like Sightly tag
What would cause a java process to greatly exceed the Xmx or Xss limit?
How do I prevent people from doing XSS in Spring MVC?
how to set Http header X-XSS-Protection
PHP_SELF and XSS
AWS WAF Getting 403 forbidden error while trying to upload an image
XSS prevention in JSP/Servlet web application
Sanitizing user input before adding it to the DOM in Javascript
How do you configure HttpOnly cookies in tomcat / java webapps?
Is dangerouslySetInnerHTML in Next really dangerous? When is it acceptable to be used?
When is it best to sanitize user input?