清理用户数据以在页面标题中使用而无需编码到实体?
Obviously one of the main ways to protect against malicious code from users is to encode the data to html entities; however what about when using the data in the page title - as the page title doesn't convert the entities for display purposes and & will display literally as & instead of &.
I'm wondering what methods you can use to sanitize data for usage in the page titles? I have already run the PHP function strip_tags on the data, however unsure if this should be enough protection or should I be doing more?
Still encode but then do a decode afterwards for certain characters?
Edit: Firefox title bar screenshot below..
My Input:
<title>Testing 123 - & testing</title>
Source:
<title>Testing 123 - &amp; testing </title>
So looking at that, if I am to understand correctly it has double-encoded it, leaving me to believe that data inside the titles are automatically encoded and thus it is safe to insert unencoded data inside <title> tags?
I guess my only worry is - is this the case for all clients/browsers? ...or is PHP encoding it automatically?