How to utilize htmlspecialchars within echo

Question

You can visit this link for an example of my promlem : http://jflaugher.mystudentsite.net/cmweb241/cmweb241_lab2.html

Everything is working correctly, except that I am having problems utilizing the htmlspecialchars in my echo. I am wanting the entity to show up in the echo and not the html character. I have tried placing the htmlspecialchars within the echo, but then the paragraph tags shows up. How do I utilize the htmlspecialchar in the echo, and display the echo in a paragraph tag? I have been at this for some time and have gotten no where, as I am very new to PHP.

For example, when I enter a '&', I get that echoed back. Instead of the '&', I want the entity &amp to be echoed.

 <?php
  $username = htmlspecialchars(str_replace(array("'", "\""), "", $_POST['username']));
  $password = htmlspecialchars(str_replace(array("'", "\""), "", $_POST['password']));
  $comment = htmlspecialchars(str_replace(array("'", "\""), "", $_POST['comment']));

  echo  "<p> Your Username is: $username .</p> ";
  echo " <p>Your Password is: $password . </p>";
  echo " <p>Your Comment was: $comment . </p>";

 ?>

where are you viewing this output? in a browser? in an html context, the browser will show the rendered character, not the entity you embedded in the text. try a 'view source', which'd show the entities. — Marc B, Feb 08 '13 at 17:39
Please be more clear on the input and the expected output. I have no idea where you think the problem is. Also, why are you replacing quotes? — deceze, Feb 08 '13 at 17:40
@MarcB I am viewing the echo in a browser. When I enter a '&' for example, I get echoed back a '&'. I instead want the enity & to be echoed. — Jeremy Flaugher, Feb 08 '13 at 17:42
I don't understand, what you mean by this: "I am wanting the entity to show up in the echo and not the html character". Provide an example input and the correct output you want to get. — user4035, Feb 08 '13 at 17:42
That's normal. a bare `&` is generally always rendered as a `&` by browsers, even though technically it should be treated as a broken entity. but if you do `echo '&'`, the browser will render a `&`, but view-source will show you `&`. — Marc B, Feb 08 '13 at 17:43

deceze · Answer 1 · 2013-02-08T17:52:44.400

Say you enter &.
htmlspecialchars will turn this into &.
& is the HTML entity for &, so viewing the result in a browser displays &.

This is the normal purpose of htmlspecialchars, it preserves the visible character by escaping it for the medium (HTML) appropriately.

If you want & to turn into a visible &, the browser will need to receive &amp;. Apply htmlspecialchars twice to do that:

htmlspecialchars(htmlspecialchars($_POST['username']))

Maybe The Great Escapism (Or: What You Need To Know To Work With Text Within Text) helps you to understand the topic better.

JLRishe · Accepted Answer · 2013-02-08T17:54:40.527

1

I'm not sure what this means:

I am wanting the entity to show up in the echo and not the html character.

Are you saying that you want the entity to be displayed in your web page? htmlspecialchars is converting the characters to entities, but a browser will display those entities as the characters they represent.

If you want to actually see the entities in your browser, you can double-escape the values:

$username = htmlspecialchars(htmlspecialchars(str_replace(array("'", "\""), "", 
                             $_POST['username'])));

But I don't really think that's the purpose of the exercise you're doing.

edited Feb 08 '13 at 17:54

answered Feb 08 '13 at 17:38

JLRishe

99,490
19
131
169

Say I enter a '&' into the textarea. The echo gives me the '&', but I am instead wanting it to be the enitity &. – Jeremy Flaugher Feb 08 '13 at 17:40
No, the echo gives you the entity `&`. Your browser renders that as `&`. If you view source on your webpage, you will see that the `&`, `<`, and `>` it's displaying are entities in the source. – JLRishe Feb 08 '13 at 17:52
This is exactly what I was looking for. Instead of the & showing up, I wanted the entity to show up. I guess I asked the question wrong. – Jeremy Flaugher Feb 08 '13 at 18:02
No worries. I guess it would have been a bit clearer if you had said "I want the entity to display in the browser (so that I can see `&` in the browser instead of `&`" or something like that, but you clarified what you meant and that's what matters. :) – JLRishe Feb 08 '13 at 18:09

score 1 · Answer 3 · answered Feb 08 '13 at 17:40

1

If you want to display the entities, you could apply htmlspecialchars() twice and it will turn all the & in & to &amp; and thus the entity itself will be displayed.

Another method is wrapping the output in <pre></pre> tags.

answered Feb 08 '13 at 17:40

Dunhamzzz

14,682
4
50
74

Yes, I want to display the entity instead. I am having problems with how to utilize the htmlspecialchars twice. – Jeremy Flaugher Feb 08 '13 at 17:44
Basically, what deceze said, I just didn't write the code for you. – Dunhamzzz Feb 08 '13 at 17:55

score 0 · Answer 4 · edited May 23 '17 at 12:27

0

Try this approach:

<?php
$string = "<tag>&";

$string = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
print $string;

It will print:

<tag>&

How to prevent XSS with HTML/PHP?

edited May 23 '17 at 12:27

Community

1
1

answered Feb 08 '13 at 17:46

user4035

22,508
11
59
94

How to utilize htmlspecialchars within echo

4 Answers4