htmlspecialchars - PHP code example

The php Function HTMLspecialChars

Some characters have special significance in HTML and must be represented by HTML entities if you want to preserve their meanings. These characters include & (ampersand), " (single quote), (less than) and > (greater than). The function htmlspecialchars converts these character into their entity representations, and returns a string with these conversions made. The function htmlentities does the opposite, converting the entity representations back to the original characters.

If you want to make sure that your web page displays correctly, you should run any text users enter into forms or other data through htmlspecialchars before displaying it to the user. Otherwise, if the user enters something like "angle 30" or "sturm & drang", your browser will think this is HTML and display it garbled. If you are concerned about XSS attacks you should also consider stripping tags with the function strip_tags(), but this does not protect against the potential for abuse of attributes that are preserved, such as style and onmouseover.

The php function htmlspecialchars has many optional parameters that you can use to customize its behavior. Some of the most important are the flags that control how it handles quotes, and how it deals with invalid code sequences. There is also an argument for the document type, which controls whether a string should be treated as plaintext or as HTML. For example, the document type ENT_XML1 will treat and as HTML entities but not as regular characters, while ENT_HTML5 treats them as regular characters.

htmlspecialchars example

return $this->encoding;
    }

    /** * Escape a string for the HTML Body context where there are very few characters * of special meaning. Internally this will use htmlspecialchars(). * * @return string */
    public function escapeHtml(string $string)
    {
        return htmlspecialchars($string, $this->htmlSpecialCharsFlags, $this->encoding);
    }

    /** * Escape a string for the HTML Attribute context. We use an extended set of characters * to escape that are not covered by htmlspecialchars() to cover cases where an attribute * might be unquoted or quoted illegally (e.g. backticks are valid quotes for IE). * * @return string */
    public function escapeHtmlAttr(string $string)
    {

        if ( ! $success ) {
            $this->ready = false;
            if ( ! did_action( 'template_redirect' ) ) {
                wp_load_translations_early();

                $message = '<h1>' . __( 'Cannot select database' ) . "</h1>\n";

                $message .= '<p>' . sprintf(
                    /* translators: %s: Database name. */
                    __( 'The database server could be connected to (which means your username and password is okay) but the %s database could not be selected.' ),
                    '<code>' . htmlspecialchars( $db, ENT_QUOTES ) . '</code>'
                ) . "</p>\n";

                $message .= "<ul>\n";
                $message .= '<li>' . __( 'Are you sure it exists?' ) . "</li>\n";

                $message .= '<li>' . sprintf(
                    /* translators: 1: Database user, 2: Database name. */
                    __( 'Does the user %1$s have permission to use the %2$s database?' ),
                    '<code>' . htmlspecialchars( $this->dbuser, ENT_QUOTES ) . '</code>',
                    '<code>' . htmlspecialchars( $db, ENT_QUOTES ) . '</code>'
                ) . "</li>\n";

if ($fmt = $options['fileLinkFormat']) {
            return \is_string($fmt) ? strtr($fmt, ['%f' => $file, '%l' => $line]) : $fmt->format($file, $line);
        }

        return false;
    }
}

function esc(string $str): string
{
    return htmlspecialchars($str, \ENT_QUOTES, 'UTF-8');
}

case 'boolean' :
        case 'NULL' :
        case 'resource' :
            if (true === $var) {
                $results = 'true';
            } elseif (false === $var) {
                $results = 'false';
            } elseif (null === $var) {
                $results = 'null';
            } else {
                $results = htmlspecialchars((string) $var);
            }
            $results = '<i>' . $results . '</i>';
            break;

        case 'integer' :
        case 'float' :
            $results = htmlspecialchars((string) $var);
            break;

        case 'string' :
            $results = strtr($var, $_replace);

        if (null !== $entryPoint) {
            $output .= "\n<script type=\"module\"$attributeString>import '".str_replace("'", "\\'", $entryPoint)."';</script>";
        }

        return $output;
    }

    private function escapeAttributeValue(string $value): string
    {
        return htmlspecialchars($value, \ENT_COMPAT | \ENT_SUBSTITUTE, $this->charset);
    }
}

</h1> <form method="post" action="setup-config.php?step=2"> <p><?php _e( 'Below you should enter your database connection details. If you are not sure about these, contact your host.' ); ?></p> <table class="form-table" role="presentation"> <tr> <th scope="row"><label for="dbname"><?php _e( 'Database Name' ); ?></label></th> <td><input name="dbname" id="dbname" type="text" aria-describedby="dbname-desc" size="25" placeholder="wordpress"<?php echo $autofocus; ?>/> <p id="dbname-desc"><?php _e( 'The name of the database you want to use with WordPress.' ); ?></p></td> </tr> <tr> <th scope="row"><label for="uname"><?php _e( 'Username' ); ?></label></th> <td><input name="uname" id="uname" type="text" aria-describedby="uname-desc" size="25" placeholder="<?php echo htmlspecialchars( _x( 'username', 'example username' ), ENT_QUOTES ); ?>" /> <p id="uname-desc"><?php _e( 'Your database username.' ); ?></p></td> </tr> <tr> <th scope="row"><label for="pwd"><?php _e( 'Password' ); ?></label></th> <td> <div class="wp-pwd"> <input name="pwd" id="pwd" type="password" class="regular-text" data-reveal="1" aria-describedby="pwd-desc" size="25" placeholder="<?php echo htmlspecialchars( _x( 'password', 'example password' ), ENT_QUOTES ); ?>" autocomplete="off" spellcheck="false" /> <button type="button" class="button pwd-toggle hide-if-no-js" data-toggle="0" data-start-masked="1" aria-label="<?php esc_attr_e( 'Show password' ); ?>"> <span class="dashicons dashicons-visibility"></span> <span class="text"><?php _e( 'Show' ); ?></span> </button> </div> <p id="pwd-desc">

$attributes = isset($options['attributes']) && \is_array($options['attributes']) ? $options['attributes'] : [];
        if (isset($options['id']) && $options['id']) {
            $attributes['id'] = $options['id'];
        }
        $renderedAttributes = '';
        if (\count($attributes) > 0) {
            $flags = \ENT_QUOTES | \ENT_SUBSTITUTE;
            foreach ($attributes as $attribute => $value) {
                $renderedAttributes .= sprintf(
                    ' %s="%s"',
                    htmlspecialchars($attribute, $flags, $this->charset, false),
                    htmlspecialchars($value, $flags, $this->charset, false)
                );
            }
        }

        return new Response(sprintf('<hx:include src="%s"%s>%s</hx:include>', $uri, $renderedAttributes, $content));
    }

    public function getName(): string
    {
        return 'hinclude';
    }

if (isset($extractParams)) {
                    return '<?php echo htmlspecialchars(Shopware()->Front()->ensureRouter()->assemble(array(' . $params . ')+(array) ' . $extractParams . ')); ?>';
                }

                return '<?php echo htmlspecialchars(Shopware()->Front()->ensureRouter()->assemble(array(' . $params . '))); ?>';
            }
            $params[$index] = is_numeric($param) ? $param : substr($param, 1, -1);
        }

        $url = Shopware()->Front()->ensureRouter()->assemble($params);

        return '<?php echo ' . var_export(htmlspecialchars($url), true) . ';?>';
    }
}

function smarty_modifier_escape($string, $esc_type = 'html', $char_set = null, $double_encode = true)
{
    if (!$char_set) {
        $char_set = Smarty::$_CHARSET;
    }

    switch ($esc_type) {
        case 'html':
            return htmlspecialchars($string, ENT_QUOTES, $char_set, $double_encode);

        case 'htmlall':
            if (Smarty::$_MBSTRING) {
                // mb_convert_encoding ignores htmlspecialchars()                 $string = htmlspecialchars($string, ENT_QUOTES, $char_set, $double_encode);
                // htmlentities() won't convert everything, so use mb_convert_encoding                 return mb_convert_encoding($string, 'HTML-ENTITIES', $char_set);
            }

            // no MBString fallback             return htmlentities($string, ENT_QUOTES, $char_set, $double_encode);

return implode(', ', $result);
    }

    private function formatArgsAsText(array $args): string
    {
        return strip_tags($this->formatArgs($args));
    }

    private function escape(string $string): string
    {
        return htmlspecialchars($string, \ENT_COMPAT | \ENT_SUBSTITUTE, $this->charset);
    }

    private function abbrClass(string $class): string
    {
        $parts = explode('\\', $class);
        $short = array_pop($parts);

        return sprintf('<abbr title="%s">%s</abbr>', $class, $short);
    }

    private function getFileRelative(string $file): ?string
    {

  protected function assertHtmlEsqueFieldValueEquals($field, $value, TraversableElement $container = NULL) {
    $assert_session = $this->assertSession();

    $node = $assert_session->fieldExists($field, $container);
    $actual = $node->getValue();
    $regex = '/^' . preg_quote($value, '/') . '$/ui';

    $message = sprintf('The field "%s" value is "%s", but "%s" expected.', $field, htmlspecialchars($actual), htmlspecialchars($value));

    $assert_session->assert((bool) preg_match($regex, $actual), $message);
  }

  /** * Checks that no real-time validation errors are present. * * @throws \Behat\Mink\Exception\ElementNotFoundException */
  protected function assertNoRealtimeValidationErrors(): void {
    $assert_session = $this->assertSession();

$required_attr = $field['required'] ? ' required' : '';
        $class         = $id;
        $class        .= $field['required'] ? ' form-required' : '';

        $item .= "\t\t<tr class='$class'>\n\t\t\t<th scope='row' class='label'><label for='$name'><span class='alignleft'>{$field['label']}{$required}</span><br class='clear' /></label></th>\n\t\t\t<td class='field'>";

        if ( ! empty( $field[ $field['input'] ] ) ) {
            $item .= $field[ $field['input'] ];
        } elseif ( 'textarea' === $field['input'] ) {
            if ( 'post_content' === $id && user_can_richedit() ) {
                // Sanitize_post() skips the post_content when user_can_richedit.                 $field['value'] = htmlspecialchars( $field['value'], ENT_QUOTES );
            }
            // Post_excerpt is already escaped by sanitize_post() in get_attachment_fields_to_edit().             $item .= "<textarea id='$name' name='$name'{$required_attr}>" . $field['value'] . '</textarea>';
        } else {
            $item .= "<input type='text' class='text' id='$name' name='$name' value='" . esc_attr( $field['value'] ) . "'{$required_attr} />";
        }

        if ( ! empty( $field['helps'] ) ) {
            $item .= "<p class='help'>" . implode( "</p>\n<p class='help'>", array_unique( (array) $field['helps'] ) ) . '</p>';
        }
        $item .= "</td>\n\t\t</tr>\n";

'no title given', FALSE],
        ['element is invisible', FALSE],
        ['this missing element is invalid', FALSE],
        ['3 errors have been found: <ul-comma-list-mock><li-mock>Test 1</li-mock><li-mock>Test 2 & a half</li-mock><li-mock>Test 3</li-mock></ul-comma-list-mock>', FALSE],
      );

    $this->renderer->expects($this->once())
      ->method('renderPlain')
      ->willReturnCallback(function D$render_array) {
        $links = [];
        foreach ($render_array[1]['#items'] as $item) {
          $links[] = htmlspecialchars($item['#title']);
        }

        return $render_array[0]['#markup'] . '<ul-comma-list-mock><li-mock>' . implode('</li-mock><li-mock>', $links) . '</li-mock></ul-comma-list-mock>';
      });

    $form_state = new FormState();
    $form_state->setErrorByName('test1', 'invalid');
    $form_state->setErrorByName('test2', 'invalid');
    $form_state->setErrorByName('fieldset][test3', 'invalid');
    $form_state->setErrorByName('test4', 'no error message');
    $form_state->setErrorByName('test5', 'no title given');

        switch ($this->type) {
            case 'boolean':
                return '<boolean>'.(($this->data) ? '1' : '0').'</boolean>';
                break;
            case 'int':
                return '<int>'.$this->data.'</int>';
                break;
            case 'double':
                return '<double>'.$this->data.'</double>';
                break;
            case 'string':
                return '<string>'.htmlspecialchars($this->data).'</string>';
                break;
            case 'array':
                $return = '<array><data>'."\n";
                foreach ($this->data as $item) {
                    $return .= ' <value>'.$item->getXml()."</value>\n";
                }
                $return .= '</data></array>';
                return $return;
                break;
            case 'struct':
                $return = '<struct>'."\n";

'parentId' => $parentId]
                    );
                    if (!\is_array($getText)) {
                        break;
                    }
                    if ($getText['image']) {
                        $getText['image'] = $this->mediaService->getUrl($getText['image']);
                    }
                    if (!str_contains($getText['link'], 'http') && $getText['link']) {
                        $getText['link'] = 'http://' . $getText['link'];
                    }
                    $getCampaignContainers[$campaignKey]['description'] = htmlspecialchars($getText['headline'], ENT_COMPAT);
                    $getCampaignContainers[$campaignKey]['data'] = $getText;
                    break;
            }
        }
        $getCampaigns['containers'] = $getCampaignContainers;

        return $getCampaigns;
    }

    /** * @param Media[] $media */