Is using htmlspecialchars() sufficient in all situations?

My users are allowed to insert anything into my database.

So using a whitelist / blacklist of characters is not an option.

I'm not worried (covered it) about the database end (SQL injection), but rather code injection in my pages.

Are there any situations where htmlspecialchars() wouldn't be sufficient to prevent code injection?

Solution

Plain htmlspecialchars is not sufficient when inserting user text into single quoted attributes. You need to add ENT_QUOTES in that case and you need to pass the encoding.

<tag attr='<?php echo htmlspecialchars($usertext);?>'> //dangerous if ENT_QUOTES is not used

When inserting user text into javascript/json as string you'll need additional escaping.

I think it fails for stange character sets too. But if you use one of the usual charsets UTF-8, Latin1,... it will work as expected.

PHP arrays, how to access keys and values
Error 500 - Premature end of script headers in Laravel
I want to hide json file from public access. How do I do that?
I got this error "Use of a direct database call is discouraged"
PHP replace string with values from array
How to Validate Bitbucket Webhook Signature Using Secret Key?
Passing docker-compose .env file values into the container
Declaring Variable Types in PHP?
How can I detect a malformed UTF-8 string in PHP?
PHP: mb_convert_encoding() to UTF-16LE doesn't work
Use WC Kalkulator product field values to update WooCommerce cart item product properties
What is the difference between strcmp() and Spaceship Operator (<=>)
Validate UUID with Laravel Validation
Artisan Call output in Controller?
PHP Fatal error: Uncaught RuntimeException: Unable to create the Doctrine Proxy directory on SuiteCRM clean installation
Xdebug not writing to file
SUBMIT button value sent only when clicked
Use integer for relation
PHP switch case to update array not affecting array
Remove more than 1 blank line between paragraphs with only 1 blank line AND remove excess white spaces
WooCommerce Orders and Items Array with JQuery DataTables
Download file or Open if file type is PDF
How to change default timeout of Http Client in Laravel
PHP Symfony parse JSON response deserialize class constructor
Initializing a huge array (50000 entries)
Adding Tanstack react-query to laravel 11 reactjs inertia project
Calling Python in PHP
How using phpword delete personal data left in word template when generate file?
How to filter the output of the data received from the database based on the meta relation?
Laravel 7 Eloquent relationships not working