When I include some PHP in my page to populate a load of HTML everything is preceeded with the characters . It's probably something daft but it's driving me nuts. I'm a newcomer to PHP so kid gloves please.
This is my include statement <?php $PSName="Solar Numbers"; $whereto="bot"; include("../php/menu.inc.php");?>
and this is the code that's doing the damage
print <<<END
<a href="$pgurl">
<div id="layer1" style="background: url('$picurl');
position: absolute; width: 150px; height: 41px; z-index: 1; color: #FFFFFF; font: caption;
left: 14px; top: $topstr;
font-family: Arial, Helvetica, sans-serif; font-weight: bolder; text-decoration: none;
text-transform: capitalize; text-align: center; vertical-align: middle; font-size: xx-small;">
<br>
<font size="+0">$pgnm</font>
</div>
</a>
END;
it's output several times in a loop in the program and it's only the first time round I get the spurious characters.
Help please
SteveK
Save the file as UTF-8 without the signature (BOM).
Those characters are the Unicode code point U+FEFF which is needed for UCS-2, UCS-4, UTF-16 and UTF-32 to indicate the byte order (little- or big-endian) – the code point itself is a zero-width no-break space. That means any application not stripping it won't run into problems as long as it supports Unicode output. However, if your PHP file begins with it (in UTF-8), PHP is not smart enough to do anything with it and since it's page content as far as PHP is concerned, it will get printed. This also means that you can't do a redirect or set cookies or start a session if this happens as PHP already sent part of the page output.
The characters look like UTF-8 BOM characters.
If you use Dreamweaver, the preselected option for "source file creation" is:
use utf8 BOM [x]
deselect it and create a file (menu.inc.php) without the BOM (byte order mark).
Regards
rbo
Reeeeeeeeeally late I know, but this little piece of HTML got rid of it no trouble:
<meta charset="utf-8" />
Hope it helps someone :)
Related
Right now, I have PHP outputting a list of tags from an SQL database and creating each of them as an <a> tag that looks something like: <a class="tag" href="tags/test-tag" style="background-color:rgb(150,150,255)" title="test tag"> test tag </a> with css:
.tags {
margin-block-start: 0;
margin-block-end: 0;
margin-left: 5px;
overflow: hidden;
font-size: 16px;
display: inline;
margin-top: 2px;
text-overflow: "";
}
As it stands this looks pretty good, but after 3-4 lines (depending on title length) the tags reach the end of the div and keep going, leaving a little bit of the first tag to wrap below visible despite having overflow:hidden on.
Two rows of tags with the third barely visible ("peeking") above the bottom of the div
Is there any way to fully hide any overflowing text? I've changed values around many times to no avail, but I haven't had time to work on this in a while, so I couldn't really say what precisely I've done. Any help would be greatly appreciated.
You can use white-space: nowrap to prevent text from wrapping to the next line and keep it all on one line.
.tag {
white-space: nowrap;
}
This will keep the text from wrapping and any text that exceeds the width of the parent container will be hidden due to the overflow: hidden property.
I've been working on a forum, and I've made everything work as it, and I tried wrapping to see if it works, basically that part of the code looks like this
before the PHP I got some HTML style:
<style>
pre {
white-space: pre-wrap;
white-space: -moz-pre-wrap;
white-space: -pre-wrap;
white-space: -o-pre-wrap;
word-wrap: break-word;
font-size: 20px;
margin: 0% 8% 0px 8%;
}
</style>
And then after a bunch of MySQL things
echo '<table style="height: 21px;" width="100%">';
while($forumcomrow=mysqli_fetch_array($forumcomres))
{
echo '<tr><td>some text</td><td><pre>Some Very Long Text From Mysql </pre></td></tr></br>';
}
echo '</table>';
I removed everything and just left the style for it and the echo for the table, when I echo just the pre tag, it wraps it at the end of the screen, but as soon as I put it in a table (size doesn't matter, even if I put the width of the table to 5px) it still goes 10 miles off the screen until it starts wrapping.
This is what happens:
On the picture above you can see one part of it, but the text goes off screen about 5x the length you can see on there, and only then starts wrapping
I have figured out what's giving it a problem, it will wrap the text if it has spaces ("aaaa aaa aaa aa aa") but if its one long word ("aaaaaaaaa") it won't wrap it, I don't know how to fix it, I've just figured out whats causing the problem.
It is because of <br> tag at the end, I have faced the same problem some time ago. <br> get applied first for every time and then table gets wrapped.
Remove <br> at the end
echo '<tr><td>some text</td><td><pre>Some Very Long Text From Mysql </pre></td></tr>';
and then it will work perfectly fine.
I'm trying to understand XSS attacks. I learnt that I should use htmlspecialchars() whenever outputting something to the browser that came from the user input. The code below works fine.
What I don't understand is whether there is a need to use htmlspecialchars() here for echoing the $enrollmentno or not?
<?php
$enrollmentno = (int)$_POST['enrollmentno'];
echo "<div style='border-radius:45px; border-width: 2px; border-style: dashed; border-color: black;'><center><h4><b>$enrollmentno</b></h4></center></div>";
$clink = "http://xyz/$enrollmentno/2013";
echo"<iframe src='$clink' width='1500' height='900' frameBorder='0'></iframe>";
?>
If I do something like
$safe = "<div style='border-radius:45px; border-width: 2px; border-style: dashed; border-color: black;'><center><h4><b>$enrollmentno</b></h4></center></div>";
echo htmlspecialchars($safe, ENT_QUOTES);
It doesn't show the correct HTML format.
I'm not sure if I have to use HTMLPurifer here.
Does HTMLPurifer retain the HTML formating while prevent XSS?
Update
echo "<div style='border-radius:45px; border-width: 2px; border-style: dashed; border-color: black;'><center><h4><b>".htmlspecialchars ($enrollmentno)."</b></h4></center></div>";
Does the trick!
Any time you use arbitrary data in the context of HTML, you should be using htmlspecialchars(). The reason for this is that it prevents your text content from being treated as HTML, which could potentially be malicious if coming from outside users. It also ensures you are generating valid HTML that browsers can handle consistently.
Suppose I want the text "8 > 3" to appear on in HTML. To do this, my HTML code would be 8 > 3. The > is encoded as > so that it isn't misinterpreted as part of a tag.
Now, suppose I am making a web page about how to write HTML. I want the user to see the following:
<p>This is how to make a paragraph</p>
If I don't want <p> and </p> to be interpreted as an actual paragraph, but as text, you need to encode:
<p>This is how to make a paragraph</p>
htmlspecialchars() does that. It allows you to insert arbitrary text into an HTML context in a safe way.
Now, in your second example:
$safe = "<div style='border-radius:45px; border-width: 2px; border-style: dashed; border-color: black;'><center><h4><b>$enrollmentno</b></h4></center></div>";
echo htmlspecialchars($safe, ENT_QUOTES);
This does exactly what you asked it to do. You gave it some text, and it encoded that. If you wanted it as HTML, you should have just echoed it.
Now, if you need to display HTML as HTML and it comes from an untrusted source (i.e. not you), then you need tools like HTMLPurifier. You do not need this if you trust the source. Running all your output through htmlspecialchars() doesn't magically make things safe. You only need it when inserting arbitrary text data. Here's a good use case:
echo '<h1>Product Review from ', htmlspecialchars($username), '</h1>';
echo htmlspecialchars($reviewText);
In this case, both the username and review text can contain whatever that user typed in, and they will be encoded correctly for use in HTML.
I have a page which is a cms/wysiwyg/ms word nightmare.
It pulls many paragraphs of text from a database, some of which have retained ms word's bizarre html tags - including font declarations!!! ahh!
In one sentence I can have things like:
<span style="font-family:Verdana">this is some</span>
<span style="font-family:arial">ugly text!</span>
I was wondering if there is a way of removing all font-family and font-size styles so they will adapt the master stylesheet css?
I'd prefer to not get into massive preg_replace conditions if I can avoid it.
Thanks
CSS:
span {
font-family: initial !important;
font-size: initial !important;
}
Well, if you're getting inline styles in many places, I would add this to the body CSS
body {
font-family: Arial, Helvetica, sans-serif !important;
font-size: 16px !important;
}
If you notice that all of the inline font styling are going on spans, you could target spans instead of the body.
I chose these two fonts because they are the "default" fonts for Windows and Mac/iOS.
Of course you can choose your own font size. The only unfortunate part about this is if you want a different font and font size in other places you'll have to use more !importants.
You can use the !important rule for this. But you will have to explicitly define each element you want it to go on (or use the universal selector *)
http://jsfiddle.net/b8RKm/
* { font-family: Tahoma, sans-serif !important; }
Alright so for my site I am allowing my users to have a description of themselves or whatever they like, however when I attempt to make breaks using [ENTERKEY] into the <textarea> it looks like this:
Hello, I am John Smith.
Phone#: (123)456-7890
I enjoy web-browsing.
When I return to the page it looks EXACTLY the same (It puts their current description in the edit box). This is what I want. I look in the PHP database and it still looks the same. Again it is what I want. However on the profile page It looks like this
Hello, I am John Smith. Phone#: (123)456-7890 I enjoy web-browsing.
It is contained inside a div with these style tags and like so
<div style="width: 250px; min-height: 50px; margin: auto; font-weight: normal; text-align: center; padding: 2px; margin-bottom: 5px;">
<?php echo $description; ?>
</div>
Im curious why it does this any help would be appreciated :D.
Add white-space:pre-line to your <div> Or, use:
<?= nl2br($description); ?>
Remember that HTML needs <br /> for line breaks, not \n or \r\n (like your <textarea> is collecting). So you can either tell HTML to pay attention to those new lines using white-space, or force the <br /> using nl2br.
When you enter a newline in a textarea, it gets stored as \n, however, HTML does not honor \n linebreaks, which is why everything shows up in a single line when inside a div.
To fix this, you have to convert the \n to <br /> (using nl2br() )which HTML recognizes:
<div style="width: 250px; min-height: 50px; margin: auto; font-weight: normal; text-align: center; padding: 2px; margin-bottom: 5px;">
<?php echo nl2br($description); ?>
</div>
This is because when you take a regular line break and try to render it as HTML, HTML ignore the whitespace character. You need to explictily use <br> (or <br/> depending on DOCTYPE) to create a line break in HTML.
The easiest way to do this in PHP is by using nl2br() function in PHP on output.