The php Function HTMLentities

The php function htmlentities turns special characters in a string into their HTML entity equivalents. This can be useful if you're processing user input that may be used in a query or for a URL and that could contain special characters like angle brackets and > or ampersands & and , etc.

You'll want to run this function before using a function that will edit the text of your page, such as nl2br(). This will prevent the text from becoming garbled in case your input contains special characters that aren't valid HTML.

In general, you'll want to use htmlentities for anything that will get displayed to a browser or saved in an HTML file for later viewing. This includes things that will be stored in a database, such as names, or values entered by a user in a form.

Another way that you might use htmlentities is to protect against cross-site scripting (XSS). For example, if a user enters a string in your application such as "angle 30" or "sturm & drang", then that will display in the browser as HTML and could potentially be used by an attacker to inject malicious code into the web page. Using htmlentities will ensure that such strings are escaped and treated as plain text.

Note that this is different from the strip_tags() function which strips tags from a string. Both functions serve different purposes, and you'll want to use the right one depending on your application's needs.

Andreas Behr - CTO of DesertCoderz
You are a developer and looking for Shopware projects?
Apply Now!

htmlentities example


                            if (!empty($text)) {
                                $this->_elements[$id]['value'] = $text;
                                $element['value'] = $text;
                            }
                            break;

                        case 'detail':
                            if ($orderNumber !== null) {
                                $getName = Shopware()->Modules()->Articles()->sGetArticleNameByOrderNumber($orderNumber);
                                $text = Shopware()->Snippets()->getNamespace('frontend/detail/comment')->get('InquiryTextArticle');
                                $text .= ' ' . $getName . ' (' . htmlentities($orderNumber, ENT_QUOTES | ENT_HTML5) . ')';
                                $this->_elements[$id]['value'] = $text;
                                $element['value'] = $text;
                            }
                            break;
                    }
                }

                $fields[$id] = $this->_createInputElement($element$this->_postData[$id] ?? null);
                $labels[$id] = $this->_createLabelElement($element);
            }
        }

        
protected function enc($text$attribute = false)
    {
        // Escape the text rather than convert to named character references.         if (!$this->encode) {
            return $this->escape($text$attribute);
        }

        // If we are in PHP 5.4+ we can use the native html5 entity functionality to         // convert the named character references.
        if ($this->hasHTML5) {
            return htmlentities($text, ENT_HTML5 | ENT_SUBSTITUTE | ENT_QUOTES, 'UTF-8', false);
        }         // If a version earlier than 5.4 html5 entities are not entirely handled.         // This manually handles them.         else {
            return strtr($text, HTML5Entities::$map);
        }
    }

    /** * Escape test. * * According to the html5 spec section 8.3 Serializing HTML fragments, text * within tags that are not style, script, xmp, iframe, noembed, and noframes * need to be properly escaped. * * The & should be converted to &amp;, no breaking space unicode characters * converted to &nbsp;, when in attribute mode the " should be converted to * &quot;, and when not in attribute mode the < and > should be converted to * &lt; and &gt;. * * @see http://www.w3.org/TR/2013/CR-html5-20130806/syntax.html#escapingString * * @param string $text Text to escape. * @param bool $attribute True if we are escaping an attrubute, false otherwise. */
/** * @dataProvider getProviderInvalidTerms */
    public function testSearchWithHtml(string $term): void
    {
        $browser = KernelLifecycleManager::createBrowser($this->getKernel());
        $browser->request('GET', $_SERVER['APP_URL'] . '/search?search=' . urlencode($term));

        $html = $browser->getResponse()->getContent();

        static::assertStringNotContainsString($term$html);
        static::assertStringContainsString(htmlentities($term)$html);
    }

    public static function getProviderInvalidTerms(): iterable
    {
        yield ['<h1 style="color:red">Test</h1>'];
        yield ['<script\x20type="text/javascript">javascript:alert(1);</script>'];
        yield ['<img src=1 href=1 onerror="javascript:alert(1)"></img>'];
        yield ['<audio src=1 href=1 onerror="javascript:alert(1)"></audio>'];
        yield ['<video src=1 href=1 onerror="javascript:alert(1)"></video>'];
        yield ['<body src=1 href=1 onerror="javascript:alert(1)"></body>'];
        yield ['<object src=1 href=1 onerror="javascript:alert(1)"></object>'];
        
/** * Defined by Zend_Filter_Interface * * Returns the string $value, converting characters to their corresponding HTML entity * equivalents where they exist * * @param string $value * @return string */
    public function filter($value)
    {
        $filtered = htmlentities((string) $value$this->getQuoteStyle()$this->getEncoding()$this->getDoubleQuote());
        if (strlen((string) $value) && !strlen($filtered)) {
            if (!function_exists('iconv')) {
                throw new Zend_Filter_Exception('Encoding mismatch has resulted in htmlentities errors');
            }
            $enc      = $this->getEncoding();
            $value    = iconv('', $enc . '//IGNORE', (string) $value);
            $filtered = htmlentities($value$this->getQuoteStyle()$enc$this->getDoubleQuote());
            if (!strlen($filtered)) {
                throw new Zend_Filter_Exception('Encoding mismatch has resulted in htmlentities errors');
            }
        }
        
 else {
                $returnstring .= ' '.(preg_match("#[\x20-\x7E]#", $string[$i]) ? $string[$i] : 'ยค');
            }
            if ($spaces) {
                $returnstring .= ' ';
            }
        }
        if (!empty($htmlencoding)) {
            if ($htmlencoding === true) {
                $htmlencoding = 'UTF-8'; // prior to getID3 v1.9.0 the function's 4th parameter was boolean             }
            $returnstring = htmlentities($returnstring, ENT_QUOTES, $htmlencoding);
        }
        return $returnstring;
    }

    /** * Truncates a floating-point number at the decimal point. * * @param float $floatnumber * * @return float|int returns int (if possible, otherwise float) */
    
return htmlspecialchars($string, ENT_QUOTES, $char_set$double_encode);

        case 'htmlall':
            if (Smarty::$_MBSTRING) {
                // mb_convert_encoding ignores htmlspecialchars()                 $string = htmlspecialchars($string, ENT_QUOTES, $char_set$double_encode);
                // htmlentities() won't convert everything, so use mb_convert_encoding                 return mb_convert_encoding($string, 'HTML-ENTITIES', $char_set);
            }

            // no MBString fallback             return htmlentities($string, ENT_QUOTES, $char_set$double_encode);

        case 'url':
            return rawurlencode($string);

        case 'urlpathinfo':
            return str_replace('%2F', '/', rawurlencode($string));

        case 'quotes':
            // escape unescaped single quotes             return preg_replace("%(?<!\\\\)'%", "\\'", $string);

        

    private function parseChangeLog(string $html): string
    {
        $html = strip_tags($html, '<br><i><b><strong><em><del><u><div><span><ul><li><ll><ol><p><a>');

        if ($html === '') {
            return '';
        }

        $dom = new DOMDocument();
        $dom->loadHTML(htmlentities($html));

        $nodes = (new DOMXPath($dom))->query("//@*[local-name() != 'href']");
        if ($nodes === false) {
            return '';
        }

        foreach ($nodes as $node) {
            $parentNode = $node->parentNode;
            if ($parentNode instanceof DOMElement) {
                $parentNode->removeAttribute($node->nodeName);
            }
        }
if (\is_string($value)) {
        $value = strtotime($value);
    } elseif ($value instanceof DateTime) {
        /** @var \DateTime $value */
        $value = $value->getTimestamp();
    }

    $date = new Zend_Date($value, Zend_Date::TIMESTAMP, $locale);

    $value = $date->toString($format$type);

    $value = htmlentities($value, ENT_COMPAT, 'UTF-8', false);

    return $value;
}

      'destination' => [
        'plugin' => 'entity:no_language_entity_test',
        'translations' => TRUE,
      ],
    ]);

    $message = $this->prophesize(MigrateMessageInterface::class);
    // Match the expected message. Can't use default argument types, because     // we need to convert to string from TranslatableMarkup.     $argument = Argument::that(function D$msg) {
      return str_contains((string) $msghtmlentities('The "no_language_entity_test" entity type does not support translations.'));
    });
    $message->display($argument, Argument::any())
      ->shouldBeCalled();

    $executable = new MigrateExecutable($migration$message->reveal());
    $executable->import();
  }

}
if (!empty($position) && \is_string($position)) {
        $position = strtoupper($position);
        if (\defined('Zend_Currency::' . $position)) {
            $config['position'] = \constant('Zend_Currency::' . $position);
        }
    }

    $currency = Shopware()->Container()->get('currency');
    $formattedValue = (float) str_replace(',', '.', (string) $value);
    $formattedValue = $currency->toCurrency($formattedValue$config);

    return htmlentities($formattedValue, ENT_COMPAT, 'UTF-8', false);
}

    public function sHtmlEntities($string$char_set = null)
    {
        if (empty($char_set)) {
            $char_set = $this->sSettings['encoding'];
        }

        return htmlentities($string, ENT_COMPAT | ENT_HTML401, $char_set);
    }

    /** * @param string|null $string * @param string $esc_type * @param string|null $char_set * * @return mixed|string */
    public function sFormatString($string$esc_type = '', $char_set = null)
    {
        

        }

        if (!empty($params['tag'])) {
            $params['tag'] = strtolower($params['tag']);

            $attr = '';
            foreach ($params as $key => $param) {
                if (\in_array($key['name', 'tag', 'assign', 'name', 'namespace', 'default', 'force'])) {
                    continue;
                }
                $attr .= ' ' . $key . '="' . htmlentities($param, ENT_COMPAT, mb_internal_encoding(), false) . '"';
            }

            $content = htmlentities($content, ENT_COMPAT, mb_internal_encoding(), false);
            $content = "<{$params['tag']}$attr>" . $content . "</{$params['tag']}>";
        }

        if (isset($params['assign'])) {
            if ($template !== null) {
                $template->assign($params['assign']$content);
            }

            
// let PCRE (preg_*) treat strings as ISO-8859-1 if we're not dealing with UTF-8 if (Smarty::$_CHARSET !== 'UTF-8') {
    Smarty::$_UTF8_MODIFIER = '';
}

/** * Smarty exception class * @package Smarty */
class SmartyException extends Exception {
    public function __construct($message) {
        $this->message = htmlentities($message);
    }
}

/** * Smarty compiler exception class * @package Smarty */
class SmartyCompilerException extends SmartyException  {
}

/** * Autoloader */


        foreach ($fetchLoggedInUsers as &$user) {
            $user['customer'] = htmlentities($user['customer'], ENT_COMPAT | ENT_HTML401, 'UTF-8');
        }

        $this->View()->assign(
            [
                'success' => true,
                'data' => [
                    'customers' => $fetchLoggedInUsers,
                    'visitors' => $result,
                    'currentUsers' => $currentUsers,
                ],
            ]
        );
$widget_options[ $widget_id ]['number'] = $number;

    if ( 'POST' === $_SERVER['REQUEST_METHOD'] && isset( $_POST['widget-rss'][ $number ] ) ) {
        $_POST['widget-rss'][ $number ]         = wp_unslash( $_POST['widget-rss'][ $number ] );
        $widget_options[ $widget_id ]           = wp_widget_rss_process( $_POST['widget-rss'][ $number ] );
        $widget_options[ $widget_id ]['number'] = $number;

        // Title is optional. If black, fill it if possible.         if ( ! $widget_options[ $widget_id ]['title'] && isset( $_POST['widget-rss'][ $number ]['title'] ) ) {
            $rss = fetch_feed( $widget_options[ $widget_id ]['url'] );
            if ( is_wp_error( $rss ) ) {
                $widget_options[ $widget_id ]['title'] = htmlentities( __( 'Unknown Feed' ) );
            } else {
                $widget_options[ $widget_id ]['title'] = htmlentities( strip_tags( $rss->get_title() ) );
                $rss->__destruct();
                unset( $rss );
            }
        }

        update_option( 'dashboard_widget_options', $widget_options );

        $locale    = get_user_locale();
        $cache_key = 'dash_v2_' . md5( $widget_id . '_' . $locale );
        
Home | Imprint | This part of the site doesn't use cookies.