9.10.1. ProblemYou want to securely display user-entered data on an HTML page. For example, you want to allow users to add comments to a blog post without worrying that HTML or JavaScript in a comment will cause problems. 9.10.2. SolutionPass user input through htmlentities( ) before displaying it, as in Example 9-19. Escaping HTML
9.10.3. DiscussionPHP has a pair of functions to escape HTML entities. The most basic is htmlspecialchars( ), which escapes four characters: < > " and &. Depending on optional parameters, it can also translate ' instead of or in addition to ". For more complex encoding, use htmlentities( ); it expands on htmlspecialchars( ) to encode any character that has an HTML entity. Example 9-20 shows htmlspecialchars( ) in action. Escaping HTML entities
Example 9-20 prints: <a href="fletch.html">Stew's favorite movie.</a> <a href="fletch.html">Stew's favorite movie.</a> <a href="fletch.html">Stew's favorite movie.</a> By default, both htmlentities( ) and htmlspecialchars( ) use the ISO-8859-1 character set. To use a different character set, pass the character set as a third argument. For example, to use UTF-8, call htmlentities($string, ENT_QUOTES, 'UTF-8'). 9.10.4. See AlsoRecipes 18.4 and 19.13; documentation on htmlentities( ) at http://www.php.net/htmlentities and htmlspecialchars( ) at http://www.php.net/htmlspecialchars. |