Useful to convert < and > into html characters?

[son]

I have posted before about htmlspecialchars() function and have opted to use it as it combats issues with single and double quotation marks. Plus it also converts the & character. However, there seems to be no way to turn off the conversion of < and >. Why is a conversion for those useful? Just do not get it...Also, my files are all in UTF-8; using the function it shows on actual webpage text as '–' which I obviously not want.Son

[jeffman]

A common reason for using the function is to display HTML as characters, not as actual DOM elements. This forum does that. If it didn't, my typing <textarea>hi</textarea> would not appear as HTML, it would perform as HTML, and you would see a textarea.A lot of blogging software does the same sort of thing, so that users cannot inject potentially dangerous or annoying HTML into your blog. All the user would see is non-functioning HTML.

[MrFish]

If you're intending to upload real html content you can use a str_replace function to convert the html character code back into '>' or '<'.But if you don't it's like Deirdre said. I've written a chatbox before and forget to check for this so someone just wrote-<script type='text/javascript'>window.location='some_porn_site'</script>so everyone who came to my site automatically got redirected to a porn site. This is why it is important to deny users access to these characters.

[jeffman]

^^ Ouch!

[son]

^^ Ouch!

I see and understand now why this is important. It is for data that is actual web page content and there could be lists, italics etc. I suppose as this is entered by site owner only I can assume they would not want to infringe their site's operation, so should be fine without. Otherwise, it will infringe with them entering content and annoy them also. Do not expect they would like to redirect to porn site, although you never know;-)Cheers,Son