htmlspecialchars

问题 I am trying to create a simple method which accepts the parameters for htmlspecialchars. Although I am getting PHP notice: Use of undefined constant ENT_HTML5 - assumed 'ENT_HTML5' Any ideas what could be causing this? /** * Encode string. * * @param array/string $value * @param string $param * @return string */ protected function escape($mixed, $params) { $defaults = array('flags' => ENT_QUOTES | ENT_HTML5, 'charset' => 'UTF-8'); $params = array_merge($defaults, $params); if (is_array($mixed

问题 Here is the line of code I have which works great: $content = htmlspecialchars($_POST['content'], ENT_QUOTES); But what I would like to do is allow only certain types of HTML code to pass through without getting converted. Here is the list of HTML code that I would like to have pass: <pre> </pre> <b> </b> <em> </em> <u> </u> <ul> </ul> <li> </li> <ol> </ol> And as I go, I would like to also be able to add in more HTML later as I think of it. Could someone help me modify the code above so that

问题 Here is the line of code I have which works great: $content = htmlspecialchars($_POST['content'], ENT_QUOTES); But what I would like to do is allow only certain types of HTML code to pass through without getting converted. Here is the list of HTML code that I would like to have pass: <pre> </pre> <b> </b> <em> </em> <u> </u> <ul> </ul> <li> </li> <ol> </ol> And as I go, I would like to also be able to add in more HTML later as I think of it. Could someone help me modify the code above so that

问题 Assuming I have a sting which is "a s d d" and htmlentities turns it into "a s d d" . How to replace (using preg_replace) it without encoding it to entities? I tried preg_replace('/[\xa0]/', '', $string); , but it's not working. I'm trying to remove those special characters from my string as I don't need them What are possibilities beyond regexp? Edit String I want to parse: http://pastebin.com/raw/7eNT9sZr with function preg_replace('/[\r\n]+/', "[##]", $text) for later implode("</p><p>",

问题 Is converting special characters to HTML entities in form validation and database query using PHP PDO using htmlspecialchars() function really necessary? For example, I have a website with simple login system more or less like: $username = (string) htmlspecialchars($_POST['user']); $password = (string) htmlspecialchars($_POST['pass']); $query = $dbh->prepare("select id where username = ? and password = ?") $query->execute($username, $password); Note that I also use type casting besides the

问题 this may seem like a simple problem but I couldn't find it in the archives. how does one reverse the effects of htmlspecialchars? I tried something like this: $trans_tbl = get_html_translation_table (HTML_ENTITIES); $trans_tbl = array_flip ($trans_tbl); $html = strtr ($html, $trans_tbl); but it didn't work. is there a simple way to do this? 回答1: Use htmlspecialchars_decode() <?php $str = "<p>this -> "</p>\n"; echo htmlspecialchars_decode($str); // note that here the quotes aren't converted

问题 I have staff.php page which contains staff's name,position and detail.When user would need to edit staff info,they would be send to edit.php page. edit.php page show name and title on text field and detail on a textarea My question is,do I even need htmlspecialchars in edit.php page.I am not printing anything to users page,only on that fields.But I'm using htmlspecialchars on staff.php before printing to user. Is it still open to XSS Attack ? Code part from staff.php $staff.="<div id='sob'>"

问题 I am outputting a string that consists of html content to a html file, but in the html file the html special characters are encoded (for example " in \" ). I've even used htmlspecialcharacters_decode before using the write functions. The wierd part is that on my computer the characters are not encoded, while uploaded on some server are encoded. How can I deal with this problem? Anticipated thanks! 回答1: You are probably suffering from Magic Quotes Check you phpinfo(); To clear Magic Quotes

问题 I am using HTMLPurifier for simple Tinymce WYSIWYG .If I don't use htmlspecialchars ,would it be open to XSS Attack ?This is what I'm doing $detail = $purifier->purify($detail); to purify data for that textarea .If I use htmlspecialchars ,it strips all basic tags as well which is not user friendly for an WYSIWYG editor.But the problem is,this allows <script> tag as well. And if I change conf setting to $config->set('ExtractStyleBlocks.1', true); It doesn't allow < and > for <script> tag

问题 In the htmlspecialchars function, if you set the ENT_SUBSTITUTE flag, it is supposed to replace some invalid characters. What characters are replaced? And what is the mapping between the invalid characters and the ones that are used to replace it? 回答1: There is only one, universal replacement character: U+FFFD. If you are writing out UTF-8, then this codepoint is appropriately encoded. If not, you get the corresponding character reference � instead. There is no reversible mapping. By