I know this question was discussed on net various times. and people give some example how to bypass these functions through passing some code. But here one issue, All example of htmlentities/htmlspecialchars is related when we embed as attribute value like
<a href="" title="<?php echo htmlentities([XSS_CODE]) ?>"></a>
OR
<img onerror="<?php echo htmlentities([XSS_CODE]) ?>" />
But if I need to show data as content like below.
<div><?php echo htmlentities([XSS_CODE]) ?></div>
How it could be insecure. As code will not have trigger/events just like in case of attributes have, This should safe in all cases.
I studied https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet . Almost all examples for XSS attack/filter bypass not works for given case. I tried hex encoded value of < & > as given in last para of url, But that again failed and displyed simply as data.
I actually have doubt over https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Character_escape_sequences which have some combination which not handled by htmlentities like \x3c, \u003c, %3C. While I myself unable to produce and exploit using them.
I tried example like
$code = "\x3cstrong\x3eHello World\x3\cstrong\x3e";
// OR
$code = "\u003cstrongu003eHello Worldu003c\cstrongu003e";
<div><?php echo htmlentities($code); ?></div>
Note : I tried all attacks on Firfox 40 in Ubuntu machine.