-1

When is the htmlspecialchars() to be used exactly?

I know that laravel {{}} is automatically escaping, but I have a case where I don't know how to implement {{}} - see "view" example, so I would go instead for htmlspecialchars() . As far as I know it should be used each time I output info previously stored in DB, but in my case I also have pictures, which are stored in a folder on the server. Once the user tries to upload picture(s) he receives error messages(in red <div>) with the name of the successfully/unsuccessfully uploaded picture. Does that need to be escaped to? I dont know whether the view info should be escaped. So that the error messages could still remain red, I decided to use htmlspecialchars() in the controller, which I suppose is terribly wrong?

Controller

                        if (......)
                            {
                            $msgs[] = '<div style="color:red">Could not upload: ' . htmlspecialchars($_FILES['image']['name'][$key]) . ' - picture size should be less than 10MB, in the following formats: jpg, jpeg, gif, png, bmp.</div>';
                            }
                        else
                            {
                            $fileToMove = $_FILES["image"]["tmp_name"][$key];
                            $newFileLoc = 'images' . DIRECTORY_SEPARATOR . time() . $_FILES['image']['name'][$key];
                            move_uploaded_file($fileToMove, $newFileLoc);
                            $msgs[] = '<div>Picture ' . htmlspecialchars($_FILES['image']['name'][$key]) . ' has been successfully uploaded to the gallery!</div>';
                            }
                        }
Cœur
  • 37,241
  • 25
  • 195
  • 267
cyberspacelogin
  • 13
  • 6
  • Refer: http://php.net/manual/en/function.htmlspecialchars.php – rishipuri May 26 '17 at 15:33
  • Possible duplicate of [when to use htmlspecialchars() function?](https://stackoverflow.com/questions/4882307/when-to-use-htmlspecialchars-function) – Mikey May 26 '17 at 15:46
  • No, it isn't, but thank you – cyberspacelogin May 26 '17 at 15:50
  • 90% that you write manually is already somehow implemented in Laravel, for example file upload (with validation included), folder structure listing, whole route magic in your route file is simply wrong and should be in Middleware. Please do read whole documentation from top to bottom; its just for your own sake. – Kyslik May 26 '17 at 16:14
  • thank you, will do – cyberspacelogin May 26 '17 at 16:49

1 Answers1

0

Internally, when you use {{ }} in blade syntax, I believe it calls the e() method. So instead of using htmlspecialchars($someString), you should use e($someString).

You should use this any time you are putting data onto your page which has previously been submitted by the user to your system.

user1669496
  • 32,176
  • 9
  • 73
  • 65
  • Thanks, that was helpful, but can I also use it in the Controller or just the view? Do you think the way I have used it in the Controller is ok? – cyberspacelogin May 26 '17 at 15:54
  • You can use `e()` anywhere and yes, the way you use it in your controller looks okay to me, although as you said, it could probably be cleaned up a little bit because your controller and view both seem to be stepping on each other's toes a bit. – user1669496 May 26 '17 at 15:58