I'll admit that I'm no PHP expert, but I was under the impression that htmlentities prevented XSS by converting all special html characters to their equivalent html entity.
If HTML entities works properly, and it is used properly, shouldn't it prevent XSS since an attacker who inputs something like <script>alert("xss")</script> would simply see the message displayed back to them instead of the browser actually executing it?
If HTML entities works properly, and it is used properly, shouldn't it prevent XSS since an attacker who inputs something like <script>alert("xss")</script> would simply see the message displayed back to them instead of the browser actually executing it?