Jump to content

[SOLVED] htmlspecialchars()

Bricktop

By Bricktop
in PHP Coding Help

 Share

Recommended Posts

Bricktop Regular Member

Bricktop

Posted
Posted

Hi all,

 

I have a function which opens up a text file, stores the lines into an array and then outputs a random line to the browser - it's for a testimonials section of a website.

 

I want to use htmlspecialchars() on the output but when I do it outputs the full HTML code to the screen.

 

for example, this is how a testimonial with a link (somecompany.com) looks when output to the browser when not using htmlspecialchars

 

SomeCompany.com were great at that thing they did.

 

This is how that same testimonial looks with htmlspecialchars formatting the output.

 

<a href="http://www.somecompany.com" target="_blank">SomeCompany.com</a> were great at that thing they did.

 

I've tried with ENT_QUOTES on and off, any ideas what's going on?

 

Thanks

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

htmlspecialchars encodes (thus they are not processed by your browser, like you would want) <, >, " and '. Leave the htmlspecialchars out.

 

<a href="hello-world">Hello World</a>

 

has been converted to:

<a href="hello-world">Hello World</a>

 

and shows up as:

<a href="hello-world">Hello World</a>

Link to comment
Share on other sites
Bricktop Regular Member

Bricktop

Posted
  • Author
Posted

Thanks ignace, but I would like the protection of htmlspecialchars but with the ability to display the output normally.

 

Do I need to use htmlspecialchars_decode or some other function achieve the above?

 

Essentially I want to prevent any HTML injects - is htmlentities a better option or will it do exactly the same?

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

Thanks ignace, but I would like the protection of htmlspecialchars but with the ability to display the output normally.

 

Do I need to use htmlspecialchars_decode or some other function achieve the above?

 

Essentially I want to prevent any HTML injects - is htmlentities a better option or will it do exactly the same?

 

Yes you need to use the decode function.

 

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

 

If all you'll ever need is the a-element for url's I'd suggest writing some regex that finds an url in the text and converts it to <a href="$1">$1</a>. This way you aren't bothered with possible html injects.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.