Recipe 9.9 Escaping Control Characters from User Data
9.9.1 Problem
You want to securely
display user-entered data on an HTML page.
9.9.2 Solution
For HTML you wish to display as plain text, with embedded links and
other tags, use htmlentities(
):
echo htmlentities('<p>O'Reilly & Associates</p>');
<p>O'Reilly & Associates</p>
9.9.3 Discussion
PHP has a pair of functions to escape
characters in HTML. The most basic is htmlspecialchars(
), which escapes four characters:
< >
" and &. Depending on
optional parameters, it can also translate
' instead of or in addition to ". For more complex
encoding, use htmlentities( ); it expands on
htmlspecialchars( ) to encode any character that
has an HTML entity.
$html = "<a href='fletch.html'>Stew's favorite movie.</a>\n";
print htmlspecialchars($html); // double-quotes
print htmlspecialchars($html, ENT_QUOTES); // single- and double-quotes
print htmlspecialchars($html, ENT_NOQUOTES); // neither
<a href="fletch.html">Stew's favorite movie.</a>
<a href="fletch.html">Stew's favorite movie.</a>
<a href="fletch.html">Stew's favorite movie.</a>
Both functions allow you to pass in a character encoding table that
defines what characters map to what entities. To retrieve either
table used by the previous functions, use
get_html_translation_table(
) and pass in HTML_ENTITIES
or HTML_SPECIALCHARS. This returns an array that
maps characters to entities; you can use it as the basis for your own
table.
$copyright = "Copyright © 2003 O'Reilly & Associates\n";
$table = get_html_translation_table(); // get <, >, ", and &
$table[©] = '©â?? // add ©
print strtr($copyright, $table);
Copyright © 2003 O'Reilly & Associates
9.9.4 See Also
Recipe 13.9, Recipe 18.21,
and Recipe 10.8; documentation on
htmlentities( ) at http://www.php.net/htmlentities and
htmlspecialchars( ) at http://www.php.net/htmlspecialchars.
|
