Htmlspecialchars Partially Converts Strings

[phdphd]

Hi All,

I am applying some htmlspecialchars to strings before displaying them to the user. In theory, there are 2 situations : 

 

1/ when the user submits a form, I display the just-entered data as plain text at the top of the next form to tell the user that their entries have been taken into account.

 

2/ Should the user make a mistake while filling a form, the form is displayed again with form fields ("value" parameters of input tags) prefilled so that correctly-entered data does not need retyping.

 
In both cases, I use the syntax echo htmlspecialchars($string) to display the data.

 

To simulate both cases at the same time, I have put echo htmlspecialchars($string) both into a "value" parameter of an input tag and outside this input tag, and left some mandatory fields blank to force the form to display again. The string tested is <<<<<<"<<<<<<. From the user's point of view, the string is reproduced as is in both cases. However the html output differs : where the string is plain text, the html output is <<<<<<"<<<<<< (every character is converted except the double quote), whereas where the string is the content of the "value" parameter of the input tag, the html output is <<<<<<"<<<<<< (only the double quote is converted).

I have 3 questions : 1. Since I did not use ENT_NOQUOTES, why the double quote did not get converted in the plain text situation ? (official doc : '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. ). 2. Why the "less than" characters remained untouched in the input tag situation (official doc : '<' (less than) becomes '<' ). 3. Does this apparent lack of conversions bear some risks as far as the html structure of the whole page is concerned?

 

Thanks!

 

(PHP version : 5.3.25)

[MDCode]

There doesn't seem to be any bug reports in 5.3.25+ on the issue. My guess is that your browser is just decoding it. You can test by entering " onclick="javascript:alert(String.fromCharCode(88,83,83))" and if it alerts when you click it, then something is going on.

[Ch0cu3r]

The web browser encodes anything sent via GET or POST into  what is known as percent encoding. I think at the same time it also decodes the htmlentities encoding into their original characters. This cause the htmlenitites values to be converted into the percent encoding equivalent.

 

When PHP processes the POST data I believe it decodes the percent encoded POST request. So when you echo out the value from $_POST it is not htmlentities encoded anymore

 

So you enter this into your form

<div class="post"><b>data</b></div>

When the form is first submitted you convert it to htmlentities, then add it to your forms field set its value to   <div class="post"><b>data</b></div>

 

When the form is submitted again the web browser will convert it to percent encoding    %3Cdiv+class%3D%22post%22%3E%3Cb%3Edata%3C%2Fb%3E%3C%2Fdiv%3E

 

Then you echo the data from $_POST you'll get the raw html back <div class="post"><b>data</b></div>

 

Code I used for testing.

<?php

$text = isset($_POST['text']) ? $_POST['text'] : '<div class="post"><b>data</b></div>';

?>

<pre><?php echo $text; ?></pre>
<hr>
<form method="post">
	Text: <textarea name="text" cols="20" rows="5"><?php echo htmlentities($text); ?></textarea>
	<input type="submit" value="submit" />
</form>

[phdphd]

Thanks for your replies.

 

Shame on me. In Firefox, to display the html output of the text of interest, I made the mistake to select a portion of the form that spans that text, then right-click and choose to display the source code of the selection, in order to visually locate the text quickly. I did not pay attention to the fact that the html output did not span the whole page. One learns a bit every day. Sorry for the time lost.

 

Both htmlentities and htmlspecialchars do the job.