I use ajax with php to output hyperlinks enabling user to email some text. The link points to a mail script and the querystring contains the text to mail. By clicking on the link, the user mails the text. However, if text (also user created) contains a quote mark, this quote mark appears in the querystring and breaks the code. Specifically, the browser thinks the querystring ends when it encounters the quote. The text after the quote spills out onto the page. I could enclose the hyperlink in an apostrophe instead of a quote, but then I'd have the same problem if the user included an apostrophe in the text.
I have tried to escape these special characters using json_encode but that did not work. I know there is addslashes or maybe I could hack somethin with str_replace, but would like to do this the right way.
Thanks for any suggestions on the right way to do this.
php
go to dbase
$text = $row['text'];
echo 'email text';
/*
say for sake of argument text is 'the dimensions of the painting are 24" x 36"'
then above link is
echo 'email text';
which breaks code
*/
urlencode should be used, since you're encoding the text to put it in a URL.
Related
I want to create hyperlinks to pages on my site but the page address have double quotes within them?
Eg:
the above just links to mysite.com/search.php?q= as I would expect as it is written.
The API returning results allows phrase searches by placing them in double quotes.
Is there a way to escape these within the href tag?
Simple solution: use altenative quotes:
<a href='mysite.com/search.php?q="sales+manager"&l=usa'></a>
This will work fine (the browser will make sure the URL gets properly formatted when a user clicks it), but you should really be urlencoding special characters because there's a whole bunch of stuff that you're not allowed to use in URLs, and some stuff that has a different meaning (in a URL, spaces become +, for instance, so you can't drop in a + and get it to stay that once you parse it. URL magic!).
Have a look at urlencode and use that when generating the link URL server side. This will turn things like spaces into %20, double quotes into %22, etc., and is how you send literal string data from a client to a server.
Yo must encode the quotes "
mysite.com/search.php?q="sales+manager"&l=usa
Is there a way to escape these within the href tag?
Yes, with the escape character. \.
Although, the current state of your code would produce:
effectively breaking the href since you are breaking the string.
What you want, is just:
...
you are considering whether the characters need to be escaped in order to work in your HTML.
however, you should also consider whether they need to be escaped in order to be sound URLs.
to work in your HTML you may do
<a href="mysite.com/search.php?q='sales+manager'&l=usa">.
however, the ' character cannot be in a URL.
"Uniform Resource Locators may only contain the displayable characters in the standard ASCII character set. Nondisplayable characters or characters in the extended ASCII set (128 through 255) are specially encoded."
See here for a list of URL escape codes.
perhaps you want to retain the quotes in the get-request of your URL. in that case, you might want:
<a href="mysite.com/search.php?q=%22sales+manager%22&l=usa">
Problem: External links have our domain name to the front of the link.
In database the following string is stored:
To learn more about Rich Habits <a href=”http://www.externaldomain.com”>click here.</a>
In our PHP File we echo the string as such:
</p><?php echo Author::getAuthorBio( $post->author1 ) ?></p>
The resulting HTML from a browser is as such:
<p>To learn more about Rich Habits <a href=”http://www.externaldomain.com”>click here.</a></p>
But, when clicking on link, the url is:
mydomain.com/”http://www.externaldomain.com”
How do I make link correct?
You are trying to quote the value of the attribute with ” instead of ". The ” is not a valid character for quoting attributes in HTML, so it is being treated as part of the URL.
Since ”http:// is not a valid URL scheme, it is being treated as a relative URL.
Replace the ” with ".
Your problem is most likely caused by writing your HTML in something other than a text editor. Word processors have a habit of replacing straight quotes with typographic quotes. This is mistake when dealing with code instead of English.
Your ” around the href attribute are not double quotes. They are special characters. Replace them with " and it'll fix it.
I have a rich text editor (tinyMCE specifically) in a textarea and I'm saving the HTML contents of that textarea into a PHP variable, as well as saving it in a hidden input field. I'm wondering how I can make this both secure and functional, especially with apostrophes or quotation marks that conflict with my hidden input.
I've tried using htmlspecialchars and htmlspecialchars_decode, but it's not fully working as sometimes I'll get random backslashes in the output (thus it's not properly functioning.) However, this does seem to prevent issues with apostrophes or quotation marks conflicting with the HTML of the hidden input field.
Is there a perfect solution? I'm thinking about TryIt Editor, and how it can display html elements as well as apostrophes or quotation marks with no problems (as far as I know). How can I do something like that in my rich text editor?
I was on the right track thinking to use htmlspecialchars, I just needed to take it one step further and also use stripslashes. This removed the backslashes I were getting from htmlspecialchars.
So something like:
$content = htmlspecialchars($_POST["textarea"]);
And then when I needed to output it, something like this:
$htmlcode1 = "<html> \n <body>";
$htmlcode2 = "</body> \n <html>";
$somecontent = htmlspecialchars_decode(stripslashes($htmlcode1.$content.$htmlcode2));
Hope this helps someone else out in the future!
I have two issues
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon />
So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
So I'm asking: How can I fix the above issues, seeming to have to do with special characters, despite already having them escaped (and I even tried applying the escape function again)? If there is any sample code I should supply, please let me know, but I've explained what I am doing to each input.
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon /> So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
This has nothing to do with submitting the data. You are trying to use ' in an attribute value that is delimited with ' characters.
Use htmlspecialchars($data, ENT_QUOTES)
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
In data encoded as application/x-www-form-urlencoded & means "Start of new key=value pair" and + means "A space". You need to urlencode($data).
First, it helps to properly contain HTML attributes, like so:
<input type="text" value="Hello there I'm Jon" />
I'm using double quotes, notice the trailing quote on the value, which your original didn't have. If you then wrap the value in htmlentities() you'll be able to properly display/save " or any other value in your form.
While double quotes aren't strictly necessary in HTML5 (' will work just fine in most cases), they are at least encouraged. If you're using some variant of XHTML, they are required.
A lazy but fast way to do things here is use urlencode() on the contents of the fields before they are posted, and the urldecode() on the other side.
It's not the proper way, or the nice way ... but it works if you don't want to write some specific code to handle the cases.
I have a php script, where the user inserts his name.
Users can insert anything they want, even things like <img src="....
I would like to save their input in a way it won't show any image (or any html).
I know it exists but I don't know what keywords to search in order to find what does it.
Use strip_tags($str).
http://php.net/strip_tags
htmlspecialchars() will encode the text so that the tags are not interpreted as HTML.
The easiest solution is the PHP function strip_tags(), which does exactly what the name suggests, and strips HTML tags from a string.
The other alternative is to 'escape' the input, so that HTML characters such as < and > are converted into displayable text. This would result in the HTML code being displayed.
You would do this with the function htmlentities().
It's worth pointing out that the input may contain HTML characters without actually intending to be HTML. The & character is a HTML reserved character, but can also be found in normal text. > and < are less commonly used in normal text, but still possible. All of them may cause problems when displayed on your page, without necessarily being actual HTML code.
The solution to this is as above, to escape the string using htmlentities(). You may want to run striptags() first, but you should also run htmlentities() as well, to ensure that the string is displayed correctly.
Hope that helps.