Jump to content

Htmlspecialchars Partially Converts Strings


phdphd
Go to solution Solved by phdphd,

Recommended Posts

Hi All,

I am applying some htmlspecialchars to strings before displaying them to the user. In theory, there are 2 situations : 

 

1/ when the user submits a form, I display the just-entered data as plain text at the top of the next form to tell the user that their entries have been taken into account.

 

2/ Should the user make a mistake while filling a form, the form is displayed again with form fields ("value" parameters of input tags) prefilled so that correctly-entered data does not need retyping.

 
In both cases, I use the syntax echo htmlspecialchars($string) to display the data.

 

To simulate both cases at the same time, I have put echo htmlspecialchars($string) both into a "value" parameter of an input tag and outside this input tag, and left some mandatory fields blank to force the form to display again. The string tested is <<<<<<"<<<<<<. From the user's point of view, the string is reproduced as is in both cases. However the html output differs : where the string is plain text, the html output is <<<<<<"<<<<<< (every character is converted except the double quote), whereas where the string is the content of the "value" parameter of the input tag, the html output is <<<<<<"<<<<<< (only the double quote is converted).

I have 3 questions : 1. Since I did not use ENT_NOQUOTES, why the double quote did not get converted in the plain text situation ? (official doc : '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. ). 2. Why the "less than" characters remained untouched in the input tag situation (official doc : '<' (less than) becomes '<' ). 3. Does this apparent lack of conversions bear some risks as far as the html structure of the whole page is concerned?

 

Thanks!

 

(PHP version : 5.3.25)

Link to comment
Share on other sites

There doesn't seem to be any bug reports in 5.3.25+ on the issue. My guess is that your browser is just decoding it. You can test by entering " onclick="javascript:alert(String.fromCharCode(88,83,83))" and if it alerts when you click it, then something is going on.

Link to comment
Share on other sites

The web browser encodes anything sent via GET or POST into  what is known as percent encoding. I think at the same time it also decodes the htmlentities encoding into their original characters. This cause the htmlenitites values to be converted into the percent encoding equivalent.

 

When PHP processes the POST data I believe it decodes the percent encoded POST request. So when you echo out the value from $_POST it is not htmlentities encoded anymore

 

So you enter this into your form

<div class="post"><b>data</b></div>

When the form is first submitted you convert it to htmlentities, then add it to your forms field set its value to   <div class="post"><b>data</b></div>

 

When the form is submitted again the web browser will convert it to percent encoding    %3Cdiv+class%3D%22post%22%3E%3Cb%3Edata%3C%2Fb%3E%3C%2Fdiv%3E

 

Then you echo the data from $_POST you'll get the raw html back <div class="post"><b>data</b></div>

 

Code I used for testing.

<?php

$text = isset($_POST['text']) ? $_POST['text'] : '<div class="post"><b>data</b></div>';

?>

<pre><?php echo $text; ?></pre>
<hr>
<form method="post">
	Text: <textarea name="text" cols="20" rows="5"><?php echo htmlentities($text); ?></textarea>
	<input type="submit" value="submit" />
</form>
Link to comment
Share on other sites

  • Solution

Thanks for your replies.

 

Shame on me. In Firefox, to display the html output of the text of interest, I made the mistake to select a portion of the form that spans that text, then right-click and choose to display the source code of the selection, in order to visually locate the text quickly. I did not pay attention to the fact that the html output did not span the whole page. One learns a bit every day. Sorry for the time lost.

 

Both htmlentities and htmlspecialchars do the job.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.