I'm trying to put html into a mailto link (<a href='mailto:...) and using htmlescapechars() but this doesn't seem to be what I need.
<a href='mailto:?subject=<?echo $subject_e=htmlspecialchars($subject, ENT_QUOTES)?>&body=<?=$subject_e?>%20via%20https://mySite.com/<?=htmlspecialchars($subjectLink, ENT_QUOTES)?>%20'>some text</a>
Can anyone explain under what conditions Example #1 in the htmlspecialchars() part of PHP's documentation works?
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
Running this function on my own server or on http://writecodeonline.com/php/ doesn't seem to convert the special characters.
So it doesn't appear to be a PHP version issue. Including the encoding parameter also had no effect. Wtf?
Running this function on my own server [...] doesn't seem to convert the special characters.
I bet you’re just thinking that because you view the script output as HTML … and what does < display as in HTML? Right, a < character …
You're looking at it wrong! The reason you're seeing the HTML tags IS because the magic php function is working. Otherwise, it would just render as actual HTML. This is happening because you're likely printing on to an HTML page.
So after looking elsewhere on SO, I realized instead of htmlspecialchars() I just needed rawurlencode().
It actually IS working. If you view the source, you will see it is working properly. The HTML is rendering the special chars though
If you look at the code of your page you'll see what was generated was exactly what was expected. Loo:
<div class="page-body">
<div id="code-output" class="code-output"><a href='test'>Test</a></div>
</div>
The problem is that when you render the page, the html entities are converted to text again. If it's not what you want, you should put the output inside <pre> tags.
Related
Could anyone please help me to resolve this issue shown in the picture ?
The message shown for that line of code means exactly what it says. If what it means by an "escaping function" is not clear, you can search the Web for lots of information about that. It's a fundamental concept in programming, and in website programming in general. You are going to need to understand it to write good, usable, robust webapps / websites.
Another place to start learning about what the message is telling you is noted right in the message: the WordPress Developer Handbook.
When you are going to print any content as output and if you did not properly escaped it then phpcs will generate error and it will say Output should be run through an escaping function. Here i am describing some information how you can escape properly
esc_html() It will be used to escaped any content with html tag. This WILL NOT display HTML content, it is meant for being used inside HTML and will remove your HTML.
<span><?php echo esc_html($title); ?></span>
esc_attr() can be used when need to escape any html tag attributes
<div id="<?php echo esc_attr($variableId);"></div>
wp_kses() When you need to keep any content with html tag then you have to use wp_kses() where you can pass an array of allowed html tag and attributes so that those allowed html tag will not be truncated while printing.
$title = '<span id="testid" class="className">This is a test content</span>'
echo wp_kses($title, ['span' => [ 'id' => []]]);
So if your output need to contain any html tag seems like svg then you can use wp_kses() with allowed html tag so that the require tag would not wipe out with the escaping method and this will fix the phpcs output error issue.
I was reading PHP Manual and I come across following text paragraph :
Line feeds have little meaning in HTML, however it is still a good
idea to make your HTML look nice and clean by putting line feeds in. A
linefeed that follows immediately after a closing ?> will be removed
by PHP. This can be extremely useful when you are putting in many
blocks of PHP or include files containing PHP that aren't supposed to
output anything. At the same time it can be a bit confusing. You can
put a space after the closing ?> to force a space and a line feed to
be output, or you can put an explicit line feed in the last echo/print
from within your PHP block.
I've following questions related to the text from above paragraph :
What does exactly mean by 'Line feeds' in HTML?
How to add them to the HTML code as well as PHP code and make visible in a web browser? What HTML entities/tags/characters are used to achieve this?
Is the meaning of 'Line feed' same in case of HTML and PHP? If no, what's the difference in meaning in both the contexts?
Why the PHP manual is saying in first line of paragraph itself that? What does PHP Manual want to say by the below sentence?
"Line feeds have little meaning in HTML"
How can it be useful to remove a linefeed that follows immediately after a closing tag ?> when someone is putting in many blocks of PHP or include files containing PHP that aren't supposed to output anything?
Please someone clear my above mentioned doubts by giving answer in simple, lucid and easy to understand language. If someone could accompany the answer by suitable working code examples it would be of great help to me in understanding the concept more clearly.
Thank You.
What does exactly mean by 'Line feeds' in HTML?
It is a general computing term.
The character (0x0a in ASCII) which advances the paper by one line in a teletype or printer, or moves the cursor to the next line on a display.
— source: Wiktionary
How to add them to the HTML code
Press the enter key on your keyboard. Note that (with a couple of exceptions like <pre>) all whitespace characters are interchangeable in HTML. A new line will be treated as a space.
as well as PHP code
Ditto … or you could use the escape sequence \n inside a string literal.
and make visible in a web browser?
The material you quoted is talking about making source code look nice. You generally don't want line feed characters to be visible in a browser.
You could use a <pre> element instead.
Outside of <pre> elements (and the CSS setting they have by default) you can use a space instead of a new line for the same effect in HTML.
What HTML entities/tags/characters are used to achieve this?
… but the advice given in the last sentence of the material you quoted is probably a better approach.
'Lines feed' exactly means a 'New line' both in Html and Php, only the syntax is different.
In case of Html tag, you can use <br> or <br/> tag for a Lines feed. Basically, this tag shows a new line in the output of the Html attribute block, while running through the browser.
You can take the following example for <br> tag:
<html> <body>
<p> To break lines<br>in a text,<br/>use the br element. </p>
</body> </html>
Output:
To break linesin a text,use the br element.
In case of Php, you can use '\n' for a lines feed.
If you are using a string in Php, then instead of writing,
echo "New \nLine";
you can use nl2br() function to get line break, like:
echo nl2br("New \nLine");
Output:
New
Line
I'm using pre tags to display codesnippets on my website, these snippets contain html and php.
So far I've used Jquery to convert html in the codesnippets to plain text, but the php tags are still being executed.
The code that I used for converting the html contents of the pre tag to plain text:
$(document).ready(function(){
$("pre").text($("pre").html());
});
An example of what I'm using it on:
<pre>
<p>paragraph Content</p>
<h1>html code</h1>
<?php echo "this is php example code"; ?>
</pre>
The first 2 lines display in the browser with the tags and everything perfectly, but the third line execute the php tags rendering only this php example code. Can anyone help me out so I can display the php tags in my code snippet aswell?
Also if anybody knows a better solution to rendering html/css and php as a code snippet on your website It would be really helpfull.
The problem with your approach is, that you try to influence the rendering after the browser has processed the file. When you look at the sourcecode of your page, you will notice that there really is nothing else than "this php example code" in there, because the server parsed that part of your code and executed it, which leads to nothing but the string you put into that echo command.
You need to handle your output before your send it to the client and fetch all occurrences of <pre> and </pre> to replace all < and > between them with their respective HTML entities.
Have a look at this question to find out the best approach to parse the HTML and get the appropriate elements in order to modify them.
You should escape the < and > symbols - replace them with their HTML entities, < and > respectively ;)
If you want a total and comprehensive conversion to HTML entities, try converting them over at http://centricle.com/tools/html-entities
Generally it's good practice to convert all symbols to their respective HTML entities within a code block.
Try to replace <?php ... ?> with
<? .... >
<pre>
<p>paragraph Content</p>
<h1>html code</h1>
<?php echo "this is php example code"; ?>
</pre>
Here's a JSFiddle example so you can see how it renders on the page.
Good morning,
Here's the problem:
I have some text being entered in via text editor (WYSIWYG/TinyMCE) and being displayed elsewhere as posting. The problem we have is that the text looses its formatting when being displayed as a posting. After digging through the code, I discovered that this was being done with a strip_tags() + echo preg_replace() combo. I'm still new to PHP, but I was able to figure out:
strip_tags() was taking out the formatting (b/c that's how it rolls)
I could add and to get the bold and italicized text to display
the underlined and strikethrough text are CSS styles and adding the code (as it is saved on the db table) to the strip_tags() list did NOT solve the problem
My question is: can I modify the existing code to solve this, or should I use something else (htmlentities() perhaps)?
EDIT: I tried htmlentities and it failed.
EDIT: I added just the tag and the problem is 50% solved. My text is underlined, but it shows lower than the non-underlined text that comes after it. Its as if the underlined text is being treated as subtext or something.
code snippet:
<div class="display_text_area">
<?php $text = strip_tags(str_ireplace("</p>", "</p><br/>",
$text_detail->description),
'<font><ul><li><br/><strong><em><span style="text-decoration: underline;">'); ?>
<?php echo preg_replace('/(<br[^>]*>\s*){2,}/', '<br/>', $text); ?>
</div>
I'm leaving the tag here to show that (a) I tried it, and (b) it didn't work. So (c) I know it needs to be removed or modified.
Many thanks in advance.
The point is that TinyMCE returns nominally valid rich HTML that doesn't need stripping or escaping before being used in an HTML page. However, you can't assume that the TinyMCE editor is running on the client, as a you might be exploited by someone who simply directly posts a response which contains an XSS attack.
IIRC, TinyMCE returns XHTML by default. You need to ensure that any returned HTML is correct using a library such as HTML Purifier.
I am working with htmlentites() to replace characters with safe html, namely the PHP because I want to be able to show PHP examples. The problem I am running into is all the tags are replaced (ex: </p>, </br> etc). I know I can write a custom htmentities to only replace the <? tags and other specific xml tags but I was wondering is there something in PHP that already does this?
I would use the highlight_string() function in PHP as it will escape the characters and syntax highlight the code.