Bricktop Posted July 24, 2009 Share Posted July 24, 2009 Hi all, I have a function which opens up a text file, stores the lines into an array and then outputs a random line to the browser - it's for a testimonials section of a website. I want to use htmlspecialchars() on the output but when I do it outputs the full HTML code to the screen. for example, this is how a testimonial with a link (somecompany.com) looks when output to the browser when not using htmlspecialchars SomeCompany.com were great at that thing they did. This is how that same testimonial looks with htmlspecialchars formatting the output. <a href="http://www.somecompany.com" target="_blank">SomeCompany.com</a> were great at that thing they did. I've tried with ENT_QUOTES on and off, any ideas what's going on? Thanks Link to comment https://forums.phpfreaks.com/topic/167243-solved-htmlspecialchars/ Share on other sites More sharing options...
ignace Posted July 24, 2009 Share Posted July 24, 2009 htmlspecialchars encodes (thus they are not processed by your browser, like you would want) <, >, " and '. Leave the htmlspecialchars out. <a href="hello-world">Hello World</a> has been converted to: <a href="hello-world">Hello World</a> and shows up as: <a href="hello-world">Hello World</a> Link to comment https://forums.phpfreaks.com/topic/167243-solved-htmlspecialchars/#findComment-881807 Share on other sites More sharing options...
Bricktop Posted July 24, 2009 Author Share Posted July 24, 2009 Thanks ignace, but I would like the protection of htmlspecialchars but with the ability to display the output normally. Do I need to use htmlspecialchars_decode or some other function achieve the above? Essentially I want to prevent any HTML injects - is htmlentities a better option or will it do exactly the same? Link to comment https://forums.phpfreaks.com/topic/167243-solved-htmlspecialchars/#findComment-881810 Share on other sites More sharing options...
ignace Posted July 24, 2009 Share Posted July 24, 2009 Thanks ignace, but I would like the protection of htmlspecialchars but with the ability to display the output normally. Do I need to use htmlspecialchars_decode or some other function achieve the above? Essentially I want to prevent any HTML injects - is htmlentities a better option or will it do exactly the same? Yes you need to use the decode function. This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities. If all you'll ever need is the a-element for url's I'd suggest writing some regex that finds an url in the text and converts it to <a href="$1">$1</a>. This way you aren't bothered with possible html injects. Link to comment https://forums.phpfreaks.com/topic/167243-solved-htmlspecialchars/#findComment-881815 Share on other sites More sharing options...
Bricktop Posted July 24, 2009 Author Share Posted July 24, 2009 Great, thanks ignace, now got it working with htmlspecialchars when posting the data and htmlspecialchars_decode when outputting. Thanks again. Link to comment https://forums.phpfreaks.com/topic/167243-solved-htmlspecialchars/#findComment-881823 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.