I have the following code in index.html:
<div class="button">
Title
</div>
I'd like to save "ridiculously long string" in a text file, referenced by index.html. Is this possible?
I tried replacing the string like so the following, but it doesn't work: php reference: file_get_contents()
<div class="button">
Title
</div>
Errors symptoms: the button on my page now reads title="title">Title and clicking it takes me to a 404: The requested URL /~user/html_root/< was not found on this server.. index.html and text.txt are in the html_root directory.
Here's how one of the shorter text.txts read:
?autoplay=0&trail=0&grid=1&colors=1&zoom=1&s=%5B{%228%22:%5B60,61,98,103,109,115%5D},{%229%22:%5B60,61,77,78,97,99,102,104,108,110,114,116%5D},{%2210%22:%5B76,79,98,103,105,109,111,115,117%5D},{%2211%22:%5B76,79,104,110,112,116,118%5D},{%2212%22:%5B60,61,63,64,77,78,111,117%5D},{%2213%22:%5B60,61,63,64%5D},{%2219%22:%5B76,77,79,97,98,102,103,108,109,114,115%5D},{%2220%22:%5B76,78,79,97,99,102,104,108,110,114,116%5D},{%2221%22:%5B98,103,105,109,111,115,117%5D},{%2222%22:%5B104,110,112,116,118%5D},{%2223%22:%5B61,111,117%5D},{%2224%22:%5B60,62,76,77%5D},{%2225%22:%5B60,62,75,78%5D},{%2226%22:%5B61,76,79%5D},{%2227%22:%5B77,78,96,97,102,103,109,110,115,116%5D},{%2228%22:%5B96,98,102,104,109,111,115,117%5D},{%2229%22:%5B61,65,97,98,103,105,110,112,116,118%5D},{%2230%22:%5B60,62,64,66,104,105,111,113,117,119%5D},{%2231%22:%5B60,62,64,66,75,76,112,113,118,120%5D},{%2232%22:%5B61,65,75,78,119,120%5D},{%2233%22:%5B77,78%5D},{%2237%22:%5B78,79%5D},{%2238%22:%5B77,79%5D},{%2239%22:%5B77%5D},{%2240%22:%5B60,61,63,64,75,77%5D},{%2241%22:%5B61,63,75,76%5D},{%2242%22:%5B61,63%5D},{%2243%22:%5B60,61,63,64,114%5D},{%2244%22:%5B78,79,84,85,92,93,95,113,115%5D},{%2245%22:%5B79,84,86,92,93,95,96,97,104,112,115%5D},{%2246%22:%5B78,86,98,103,105,111,113,114%5D},{%2247%22:%5B75,77,86,87,92,93,95,96,97,102,105,110,112%5D},{%2248%22:%5B75,76,93,95,103,104,109,112%5D},{%2249%22:%5B93,95,110,111%5D},{%2250%22:%5B94%5D}%5D
I thought changing text.txt to a more benign URL might help debugging. I changed text.txt to https://www.google.com/ and get the same 404.
I could implement a javascript solution. There's already js on this webpage. But it's controlled by a colleague and I'd prefer to try a stand alone solution first. Many thanks to anyone who can help!
Anytime you want to inject arbitrary data into HTML, you need to wrap it with htmlspecialchars() so that any reserved characters are escaped. Additionally, you actually need to surround attribute values with quotes or you're going to be generating invalid HTML.
Title
Really though, "ridiculously long string" is questionable anyway. I assume you're using some huge data URI? If so, consider not doing that, as there are limits you'll run into and it's not efficient to base64-encode things.
When doing this job in PHP,one may meet this kind of issue:
<span title="<?php echo $variable;?>">...
The problem is that if $variable contains double quotes,should change it to \"
And that's not the whole story yet:
<span title='<?php echo $variable;?>'>...
In this case,we need to change single quotes to \',but leave double quotes as is.
So how can we do it in a general property manner?
You always want to HTML-encode things inside HTML attributes, which you can do with htmlspecialchars:
<span title="<?php echo htmlspecialchars($variable); ?>">
You probably want to set the second parameter ($quote_style) to ENT_QUOTES.
The only potential risk is that $variable may already be encoded, so you may want to set the last parameter ($double_encode) to false.
Well, before you output any text into HTML you should escape it using htmlspecialchars(). So just make sure (double) quote is correctly changed.
Pay attention to the second parameter of that function.
To address your edit [Edit: that you have removed meanwhile]: When you place dynamically JavaScript onto your site, you should before know quite well, what it would look like. Else you open the door widely for XSS attacks. That doesn't mean you have to know every quotation mark, but you should know enough to decide how to embed it at the line where you finally output it in the HTML file.
Beyond that,
<a onclick="func('l')">
works exactly like
<a onclick="func('l')">
The Bat tool has a StringTool::htmlAttributes ( $arrayOfAttributes ) method that does the job too.
https://github.com/lingtalfi/Bat/blob/master/StringTool.php
Just noticed that when using single quotes to echo a basic link in php, the url repeats itself.
<?php
echo 'Link URL - Single Quotes<br />';
?>
The above code outputs the link as:
http://example.com/"http://example.com/"
Can anyone shed some light on the reason for this?
You shouldn't \-escape your " when you're using ' to surround the string as a whole. This couldn't create that output itself, but it might confuse a parser somewhere down the line, producing the problem. Try this instead:
echo 'Example.com<br />';
Use PHP to output dynamic data and leave the HTML out of it. This will save you hours of quotation frustration
?>
Example.com<br />
<?php
// carry on with the PHP
echo 'Example.com<br />';
outputs
Example.com<br />
The backslashes are included in the final output and most likely trip up the HTML parser.
You're escaping the double quotes. It isn't necessary when using single quotes and vice-versa.
<?php
echo 'Example.com<br />';
?>
The above code outputs the link as:
http://example.com/"http://example.com/"
No, it doesn't produce that output.
This is what you see in the browser when you put the cursor over the link and when you click on the link. It's part of the browser's job to resolve the relative and incomplete links, but what it shows to the user is, most of the times, not what it is written in the HTML code.
Use the browser's "View Source" functionality to see the HTML generated by your code.
The (invalid) HTML produced by your code is:
Link URL - Single Quotes<br />
The browser interprets \"http://example.com\" as the value of the href attribute. The HTTML attribute values can be either enclosed in quotes (") or apostrophes (') or unquoted at all and the quoting character must be the first non-space character after the equal sign (=). Because it finds a backslash (\) after the equal sign, it concludes the attribute value is not quoted and read everything until the first whitespace or until the tag ends (>) as the attribute's value.
The value \"http://example.com\" is not a valid URL and the browser handles it as an incomplete URL. An incomplete URL needs to be resolved to a complete URL in order to be used. It doesn't look like a relative URL (doesn't start with ..), it doesn't look like an absolute path without a host name either (doesn't start with /). The only way to resolve it is to treat it as a file name located in the same directory as the page that is currently loaded. Chances are that your offending code runs in a page located in the root of your website (http://example.com/index.php, for example).
I won't provide a fix for your problem here. The question already have plenty of answers that provide you various ways to avoid this happen.
However, take a look at the strings documentation page in the PHP manual. All you need to know is explained there.
I have a php website that on certain pages is adding a dot or space before the first html tag. I can't figure out where it is coming from - is there a way to debug the code so i can see where it is coming from?
Thanks,
Josh
To help prevents this happening it is considered a good practice to don't end your PHP file with a ?>.
You possibly have some file that are this way (notice the extra space after the ?>):
<?php
// Some code //
?>
If you would remove the ?> at the end, the extra space at the end of the file won't be interpreted as something to output.
For files that contain only PHP code,
the closing tag ("?>") is never
permitted. It is not required by PHP,
and omitting it´ prevents the
accidental injection of trailing white
space into the response.
Source: http://framework.zend.com/manual/en/coding-standard.php-file-formatting.html
Maybe it is a BOM character?
Maybe you should check your templates if you are using them... the problem could be there and not in your main code.
and yes is a GOOD PRACTICE in PHP not to close the ending tag.
There really is no good way to go about debugging this. You need to go through every file the page is hitting and figure out where the output is coming from. If you really wanted to be lazy about it you could do some output buffering, but this isn't the right way to do things.
Problems like this can be difficult to track down. If you're in some kind of framework or system that includes a lot of files, you might try a var_dump(get_included_files()) on the line before your error occurs, and that will give you a place to start. If that isn't sufficient, xdebug might get you further. Things to look out for are space before and after the PHP tags, and functions that might send output.
When doing this job in PHP,one may meet this kind of issue:
<span title="<?php echo $variable;?>">...
The problem is that if $variable contains double quotes,should change it to \"
And that's not the whole story yet:
<span title='<?php echo $variable;?>'>...
In this case,we need to change single quotes to \',but leave double quotes as is.
So how can we do it in a general property manner?
You always want to HTML-encode things inside HTML attributes, which you can do with htmlspecialchars:
<span title="<?php echo htmlspecialchars($variable); ?>">
You probably want to set the second parameter ($quote_style) to ENT_QUOTES.
The only potential risk is that $variable may already be encoded, so you may want to set the last parameter ($double_encode) to false.
Well, before you output any text into HTML you should escape it using htmlspecialchars(). So just make sure (double) quote is correctly changed.
Pay attention to the second parameter of that function.
To address your edit [Edit: that you have removed meanwhile]: When you place dynamically JavaScript onto your site, you should before know quite well, what it would look like. Else you open the door widely for XSS attacks. That doesn't mean you have to know every quotation mark, but you should know enough to decide how to embed it at the line where you finally output it in the HTML file.
Beyond that,
<a onclick="func('l')">
works exactly like
<a onclick="func('l')">
The Bat tool has a StringTool::htmlAttributes ( $arrayOfAttributes ) method that does the job too.
https://github.com/lingtalfi/Bat/blob/master/StringTool.php