son Posted May 26, 2011 Share Posted May 26, 2011 I have posted before about htmlspecialchars() function and have opted to use it as it combats issues with single and double quotation marks. Plus it also converts the & character. However, there seems to be no way to turn off the conversion of < and >. Why is a conversion for those useful? Just do not get it...Also, my files are all in UTF-8; using the function it shows on actual webpage text as '–' which I obviously not want.Son Link to comment Share on other sites More sharing options...
jeffman Posted May 26, 2011 Share Posted May 26, 2011 A common reason for using the function is to display HTML as characters, not as actual DOM elements. This forum does that. If it didn't, my typing <textarea>hi</textarea> would not appear as HTML, it would perform as HTML, and you would see a textarea.A lot of blogging software does the same sort of thing, so that users cannot inject potentially dangerous or annoying HTML into your blog. All the user would see is non-functioning HTML. Link to comment Share on other sites More sharing options...
MrFish Posted May 26, 2011 Share Posted May 26, 2011 If you're intending to upload real html content you can use a str_replace function to convert the html character code back into '>' or '<'.But if you don't it's like Deirdre said. I've written a chatbox before and forget to check for this so someone just wrote-<script type='text/javascript'>window.location='some_porn_site'</script>so everyone who came to my site automatically got redirected to a porn site. This is why it is important to deny users access to these characters. Link to comment Share on other sites More sharing options...
jeffman Posted May 26, 2011 Share Posted May 26, 2011 ^^ Ouch! Link to comment Share on other sites More sharing options...
son Posted May 26, 2011 Author Share Posted May 26, 2011 ^^ Ouch!I see and understand now why this is important. It is for data that is actual web page content and there could be lists, italics etc. I suppose as this is entered by site owner only I can assume they would not want to infringe their site's operation, so should be fine without. Otherwise, it will infringe with them entering content and annoy them also. Do not expect they would like to redirect to porn site, although you never know;-)Cheers,Son Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.