arianhojat Posted June 4, 2008 Share Posted June 4, 2008 whenever i need to output a variable in html, i make sure to use php htmlspecialchars() like so: echo '<select id="entityText" name="entityText">'; while( $row= mysql_fetch_assoc($result) ){ $TextfromDatabase = $row['entityText']; echo '<option value="'.htmlspecialchars($TextfromDatabase).'">'. htmlspecialchars($TextfromDatabase) .'</option>'; } echo '</select>'; .... echo '<div id="addEntityDiv">'; foreach($_GET['customParams']['Entities'] as $entitytext)//btw this is called if there is an error on the form, so adds submitted info back to form... (Code isnt shown here but if no errors, form is redirected somewhere else.) { echo '<input type="hidden" name="customParams[Entities][]" value="'. htmlspecialchars($entitytext) .'"/>'; echo '<div>'. htmlspecialchars($entitytext) .'</div>'; } echo '</div>'; So to get those customParams[Entities][] values to even exist, a user clicks on a select option and presses an add button, and some javascript creates those form elements like so: var entitytext = jQuery('#entityText').val(); jQuery('<input type="hidden" name="customParams[Entities][]" value="'+ entitytext +'"/>').appendTo("#addEntityDiv"); jQuery( '<div>'+ entitytext +'</div>').appendTo('#addEntityDiv'); I think the part that gets me if there are funky characters in the initial select box: like pretend one of the select options in database is for some reason something funky like: <' AlternativeEnergy "> Then the option's value for it is <option value="<' AlternativeEnergy ">"> since it gets htmlspecialchar-ized. So when no matter what the javascript looks like below (tried them all), it messes up the values outputted to screen and the hidden input: jQuery( '<div>'+ entitytext +'</div>').appendTo('#addEntityDiv'); jQuery( '<div>'+ escape(entitytext) +'</div>').appendTo('#addEntityDiv'); jQuery( '<div>'+ unescape(entitytext) +'</div>').appendTo('#addEntityDiv'); It will output since its not escaping stuff correctly for example: "/> <' AlternativeEnergy "> and when posted (and error occurs), it also will mess up and output something wrong also since that foreach($_GET['customParams']['Entities']...) gets called. Any ideas how to use escaping efficiently in php/javascript combined? PS all the ', ", and > (qoutes and greater than/less than signs ) are literal in the output i give as an example. the phpfreaks forums did a good job of sanitizing my post Quote Link to comment Share on other sites More sharing options...
arianhojat Posted June 4, 2008 Author Share Posted June 4, 2008 I figured out I can maybe just use a javascript version of htmlspecialchars() and that seemed to sanitize things well without funky things happening... Any reason why this is this a bad solution? function htmlspecialchars(string, quote_style) { // http://kevin.vanzonneveld.net // + original by: Mirek Slugen // + improved by: Kevin van Zonneveld (http://kevin.vanzonneveld.net) // * example 1: htmlspecialchars("<a href='test'>Test</a>", 'ENT_QUOTES'); // * returns 1: '<a href='test'>Test</a>' string = string.toString(); // Always encode regex = /&/g; string = string.replace(regex, '&'); regex = /</g; string = string.replace(regex, '<'); regex = />/g; string = string.replace(regex, '>'); // Encode depending on quote_style if (quote_style == 'ENT_QUOTES') { regex = /"/g; string = string.replace(regex, '"'); regex = /'/g; string = string.replace(regex, '''); } else if (quote_style != 'ENT_NOQUOTES') { // All other cases (ENT_COMPAT, default, but not ENT_NOQUOTES) regex = /"/g; string = string.replace(regex, '"'); } return string; } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.