I am have troubles trying to print out < > symbols in HTML using PHP.
I am appending a string "<machine>" to a variable.
Example:
$output .= " <machine> ";
echo $output;
I tried using escapes, but that didn't help. Any advice?
> = >
< = <
Or you can use htmlspecialchars.
$output .= htmlspecialchars(" <machine> ");
If you are outputting HTML, you cannot just use < and > : you must use the corresponding HTML entities : < and >
If you have a string in PHP and want to automatically replace those characters by the corresponding HTML entities, you'll be interested by the htmlspecialchars() function (quoting) :
The translations performed are:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not
set.
"'" (single quote) becomes ''' only when ENT_QUOTES is
set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
In your case, a portion of code like this one :
$output = " ";
echo htmlspecialchars($output, ENT_COMPAT, 'UTF-8');
Would get you the following HTML code as output :
<machine>
And, just in case, if you want to encode more characters, you should take a look at the htmlentities() function.
Your trouble is not with PHP, but rather with the fact that < and > are used in HTML. If you want them to display in the browser, you probably want to print out their escaped entity versions:
< is <
> is >
You can also use the htmlspecialchars() function to automatically convert them:
echo htmlspecialchars("<machine>");
You need to turn them into e.g. < and > - see the htmlentities() or htmlspecialchars() functions.
echo htmlentities($output);
or
echo htmlspecialchars($output);
If you don't want to bother manually going through your string and replacing the entities.
use "htmlspecialchars_decode()"
e.g.
<?php
$a= htmlspecialchars('<?php ');
$a=$a.htmlspecialchars('echo shell_exec("ipconfig"); ');
$a=$a.htmlspecialchars('?>');
echo htmlspecialchars_decode($a);
?>
The < and > symbols should be shown in the HTML source but the "<machine>" is interpreted as XML tag. Use htmlentities() to convert all special characters in the String into their HTML-equivalents, or use "<machine>"
Solution:
$output .= " <machine> ";
$output = htmlentites($output);
echo $output;
Related
In my string I have quotes(',") and < tags > . I used
htmlspecialchars($str, ENT_QUOTES);
to convert only the single and double quote to general text . But unfortunately it is also converting tags < , > . For this reason even I have
strip_tags("$desc","< b >< font >< i >< u >< br >");
Those allowed tags are also displaying as general < and > sign not working as html tags .
In conclude , I want to display single and double quote as regular text and allowed tags working as html does.
Thank You.
Why don't you run strip_tags() before htmlspecialchars() ?
sample:
<?php
$input = '<b>allowed tag</b> " <font>not allowed tag</font>';
// XXX
$tmp = htmlspecialchars($input, ENT_QUOTES);
$result = strip_tags($tmp, '<b>');
var_dump($result);
// string(78) "<b>allowed tag</b> " <font>not allowed tag</font>"
// Improved
$tmp = strip_tags($input, '<b>');
$result = htmlspecialchars($tmp, ENT_QUOTES);
var_dump($result);
// string(53) "<b>allowed tag</b> " not allowed tag"
I have some var containing ', "
$var = "Hello \" World '";
<input type="text" value="<?= $var ?>" >
when browser render this code above we will see input element containing only 'Hello'.
how solve this problem without using special symbols like ” in Db strings must contain ', "
how solve this problem without using special symbols like ”
You don't, although rdquo is the wrong character reference to use in this case.
Run text through htmlspecialchars() to turn it into HTML before you insert it into an HTML document.
<input type="text" value="<?= htmlspecialchars($var) ?>">
HTML Entities is what you need.
This is similar to htmlspecialchars but if you require all input substrings that have associated named entities to be translated, use htmlentities() instead.
Here's Char html codes!
$var = "Hello \" World '";
I use html special char:
" - special html char - "
$var = "Hello " World '";
Result:
Hello " World '
I have comment box. If i type in something like this
aa #Martins <aabb>
In database I save it like:
aa <span class="highlight" contenteditable="false">#Martins Vilskersts</span> <aabb><span></span>
And for now i use this, to show it:
$str = strip_tags(htmlspecialchars_decode(html_entity_decode($my_string_from_database)), '<br><br/>');
//here is some replace for links functionality
$replace = '<a href="javascript:;" class="..." id="..." ></a>';
$str = str_replace($link->tag, $replace, $str);
echo $str;
And i get result like this:
aa #Martins
But i want to see it like this:
aa #Martins <aabb> -[with # functionality, but with some random <aaa><bbb> tags as plain text. Any idea?]
USE THIS:
just replace < by < and > by >
Keep this in mid as well :
'&' (ampersand) becomes &
'"' (double quote) becomes " when ENT_NOQUOTES is not set.
"'" (single quote) becomes ' only when ENT_QUOTES is set.
'<' (less than) becomes <
'>' (greater than) becomes >
If you just literally output the string as stored in the database, without using htmlspecialchars_decode, strip_tags, html_entity_encode, etc, then it'll come out properly.
You have already saved the parts you want to see as encoded characters, and the parts that should work as raw html in your database.
I got a simple script which I'm using to POST one world and then to display it with lines from list_of_files.txt. Just noticed that I can POST JavaScript, PHP and Html. How I strip this?
$files=file('list_of_files.txt');
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
foreach($files as $list)
{
$extension = $_POST['extension'];
echo trim($list) . trim($extension);
echo "</div>";
}
}else{
?>
strip_tags($str) (http://php.net/manual/de/function.strip-tags.php) will remove ALL HTML tags
Example:
name=<strong>Finn</strong>&last_name=<script>alert('XSS');</script>
PHP:
$normal = $_POST['name']; //<strong>Adam</strong>
$stripped = strip_tags($_POST['name']); //Adam
Are you looking for strip_tags?
This function tries to return a string with all NULL bytes, HTML and PHP tags stripped from a given str. It uses the same tag stripping state machine as the fgetss() function.
if you're looking to output, you can use htmlspecialchars.
The translations performed are:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
"'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
So i have in my mysql
'UAB "Litofcų kontora"'
When i try to put it in input like this
<input type="text" value="UAB "Litofcų kontora""> it don't display whole thing because of the quotes how to make that only quotes replace with a html code?
tried htmlentities and htmlspecialchars but it converts ų to but i need that to be the way it's don't covert.
You have (only) to replace all " with " before outputing the input value. E.g. with str_replace:
$sInputValue = str_replace('"', '"', $sValueFromDb);
echo '<input type="text" value="' . $sInputValue . '">';
Also see this php exmaple and the resulting html example.
It looks like your problem is that the data has been encoded for HTML but only for use as a text node.
The solution therefore is to convert it from HTML to text, and then convert it back to HTML - but in a fashion suitable for putting in an attribute.
preg_replace_callback code from this comment in the PHP manual because html_entity_decode appears to not support numeric entities.
$input = 'UAB "Litofcų kontora"';
$attribute_safe = htmlspecialchars(
html_entity_decode(
preg_replace_callback(
"/(&#[0-9]+;)/",
function($m) { return mb_convert_encoding($m[1], "UTF-8", "HTML-ENTITIES"); },
$input
)
)
);
echo $attribute_safe;