I have this code:
$title = 'Alguém';
<h1><?php echo htmlentities($title, \ENT_QUOTES, 'UTF-8', false); ?></h1>
PS: this is just a example, on my current code i get the value of $title from my database.
the result that can be seen on the web page:
<h1>Alguém</h1>
And the result that can be seen on the view-source::
<h1>Alguém</h1>
Why this happens? Am i using htmlentities correctly?
Your code is working correctly. htmlentities converts html entities into a defined series of characters that your browser can interpret as the entity you want to display in your browser. This is done to prevent malicious code from being run in your script.
As an example:
Without html entities being used this line of code will actually work. Your browser sees the line of code as:
<script>alert("I just hacked your html")</script>
When you sanitize that same line of code with htmlentities() it replaces all of the entities with the defined series of character representations that the browser interprets as the entity. So this is what gets outputted to the browser.
<script>alert("I just hacked your html")<
This script will not get ran as javascript in your browser.
Here is a link that you can read that will give you some additional information. There is plenty of information on google that outlines this.
html entities
Here is a list of html entities:
Entity list
Hope that helps.
echo htmlentities($title, ENT_QUOTES);
Related
I'm making a website where a user should be able to use HTML and CSS in their profiles but I came across one problem.
<?php
$profile = "<h1>THIS IS A TEST</h1>";
echo htmlentities($profile);
?>
That's my code, but it only show this in the profile:
<h1>THIS IS A TEST&</h1>
I don't know what is happening, nor do I know if this only happens to me.
How do I make it show only the h1 content?
Function htmlentities is showing the representation of html characters like tags etc., and is being used especially to avoid parsing as html. So if you mean to echo html so that the browser parses it as html, the last thing you want is to use this function! Just echo it out directly, no need to use htmlentities or htmlspecialchars!
You just have to use echo $profile;, that's all. Check this and don't forget to check Display as HTML as browsers display PHP echoed text as HTML unless they're told to display it differently.
I have a php page that displays customer's input, which I saved in mysql database. When the input is loaded, some html characters are displayed wrongly.
For example this url:
http://www.greenbook.club/shopjerry/index.php/014101201323
You can see that the browser actually displays & amp; not just &.
I tried to use htmlspecialchars_decode or html_entity_decode, but seems no impact.
The code is really basic, just:
<?php echo $description ?>
////I also tried this, but no difference
<?php echo html_entity_decode($description) ?>
Can someone help?
I'd be looking at how this data is being saved. It appears that it's being encoded each time it's being saved without being decoded.
If you look at the rogue codes ie can&amp;#39;t which is originally the word can't.
On the first save the single quote in can't would be getting turned into '
On the Second save that would then turn into ' then &#39 and so on for each save.
SO the issue is with the process of saving the content from the editor into the Database. The content is being encoded when saved to the DB from the Editor but not decoded when loaded back from the DB into the editor.
I use html entities to secure my site.
And my client want to add link in his post using the CMS.
how to make exception in html entities?
my code example:
<p><?php echo h($row['message']) ?></p>
//h is my function for htmlentities
My code display this message:
"You can click this link Link"
//And I dont know my data insert '\'
//It become Link
If my question is not clear please ask.
Really appreciate.
I believe what you want to do is pass into the DB with htmlentities() so it doesn't mess with your DB. To retrieve them you would use html_entity_decode(). The html_entity_decode() converts all strings with HTML entities back to there original string.
http://php.net/manual/en/function.html-entity-decode.php
Hopefully this answers your question.
Edit:
Raw data retrieved: http://www.example.com
Through htmlentities it spits out the HTML entities, which the browser cannot interpret when attempting to find that page. The use of htmlentities() (please if I'm wrong correct me) is to encode user input before passing it anywhere else.
User input: <script>hacks</script>
Passed though htmlentities:
<script>hacks< (whatever backslash is)script>
(This way it can't mess with anything in your database, better example is the use of PHP/MySQL but I'm not well versed to give that exact example at the moment.)
However this would expose your site when decoding it as well and other precautions would have to be taken.
Try this :
<?php
$link = h(stripslashes($row['message']));
?>
You can click this link <a href='<?php echo $link; ?>'>Link</a>
I'm storing HTML and text data in my database table in its raw form - however I am having a slight problem in getting it to output correctly. Here is some sample data stored in the table AS IS:
<p>Professional Freelance PHP & MySQL developer based in Manchester.
<br />Providing an unbeatable service at a competitive price.</p>
To output this data I do:
echo $row['details'];
And this outputs the data correctly, however when I do a W3C validator check it says:
character "&" is the first character of a delimiter but occurred as data
So I tried using htmlemtities and htmlspecialchars but this just causes the HMTL tags to output on the page.
What is the correct way of doing this?
Use & instead of &.
What you want to do is use the php function htmlentities()...
It will convert your input into html entities, and then when it is outputted it will be interpreted as HTML and outputted as the result of that HTML...For example:
$mything = "<b>BOLD & BOLD</b>";
//normally would throw an error if not converted...
//lets convert!!
$mynewthing = htmlentities($mything);
Now, just insert $mynewthing to your database!!
htmlentities is basically as superset of htmlspecialchars, and htmlspecialchars replaces also < and >.
Actually, what you are trying to do is to fix invalid HTML code, and I think this needs an ad-hoc solution:
$row['details'] = preg_replace("/&(?![#0-9a-z]+;)/i", "&", $row['details']);
This is not a perfect solution, since it will fail for strings like: someone&son; (with a trailing ;), but at least it won't break existing HTML entities.
However, if you have decision power over how the data is stored, please enforce that the HTML code stored in the database is correct.
In my Projects I use XSLT Parser, so i had to change to (e.g.). But this is the safety way i found...
here is my code
$html = trim(addslashes(htmlspecialchars(
html_entity_decode($_POST['html'], ENT_QUOTES, 'UTF-8'),
ENT_QUOTES, 'UTF-8'
)));
And when you read from DB, don't forget to use stripslashes();
$html = stripslashes($mysq_row['html']);
I am modifying an existing source code viewer script in PHP that I found on the web. It is to store source code in a nice category fashion.
I am having a problem now though. Below is a screen shot of me viewing the source code in Firefox, you can see the part that is supposed to show on the screen but for some reason it is not showing on the screen, it is showing up in the source of the page though so I am really confused as to why I cannot view it in the browser? You will also notice that the text color is Pink/Purple color. The part inside the
Please not that it is not any CSS that is making it hidden or anything.
alt text http://img2.pict.com/cd/d2/74/2663869/0/screenshot2b209.png
<?php is considered as an opening tag, which is only closed by ?> ; and the browser doesn't display tags themselves.
The <td> tags, for instance, are not displayed by your browser : they are interpreted to create a table ; it's the same with the <?php tag... But it doesn't generate any output, as the browser doesn't know what to do with it.
If you want to actually display your portion of PHP code in the HTML page, you have to encode it to HTML entities :
< should be converted to <
> should be converted to >
& should be converted to &
" should be converted to "
This way, you'll get some valid HTML, and not "things looking as HTML tags".
But note that if you want that portion of PHP code to actually be interpreted (So the query to the database is executed, and generates some output), you'll have to re-configure your webserver, so PHP code is interpreted : you should not see the PHP code on the browser-side.
Processing Instructions are not shown in the browser.
That is not "browser source code". It is PHP source code that superficially looks like HTML. This is not a petty distinction, but actually fundamental if you want to understand how things work. If you are viewing that exact code in Firefox, it means you're viewing the PHP as text, not rendered HTML.
So something is wrong with your PHP server setup.