[PHP] htmlspecialchars() and HTML code
Hello- I'm working on a site where users have the option to type HTML code into a textarea, or upload HTML code from a local file which is then displayed in the text area. The obvious problem is that an uploaded file that contains a closing tag for a textarea can wreak havoc and eat up the rest of the page. So, in order to get it to display properly, I called htmlspecialchars() on the string and that works fine. After any editing has been done, I can convert the text back using html_entity_decode(). This seems to be a decent solution to the problem. However, if the user has included htmlentities in their code, won't these get converted when I call the decode function? Even something simple like using a '' symbol for a little arrow. This would need to remain a 'lt;' and not get converted when html_entity_decode() is called. Anybody dealt with something along these lines before or have some idea of a good solution? Thanks- Thaddeus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] htmlspecialchars() and HTML code
CPT John W. Holmes wrote: --SNIP-- Try this: textarea name=textThis is lt;somegt; text/textarea If you submit that text and then print $_REQUEST['text'], you'll see that you have This is some text --SNIP-- Ok, but that only makes me realize the further extent of the problem. If the HTML file that they upload has 'lt;' or 'gt;' entities, then these characters will be displayed in the text area as '' and '' symbols. So when the text is submitted from the textarea, all of the user's HTML entities will have been destroyed. Any thoughts on this problem? Thaddeus CPT John W. Holmes wrote: From: Thaddeus J. Quintin [EMAIL PROTECTED] I'm working on a site where users have the option to type HTML code into a textarea, or upload HTML code from a local file which is then displayed in the text area. The obvious problem is that an uploaded file that contains a closing tag for a textarea can wreak havoc and eat up the rest of the page. So, in order to get it to display properly, I called htmlspecialchars() on the string and that works fine. After any editing has been done, I can convert the text back using html_entity_decode(). This seems to be a decent solution to the problem. However, if the user has included htmlentities in their code, won't these get converted when I call the decode function? Even something simple like using a '' symbol for a little arrow. This would need to remain a 'lt;' and not get converted when html_entity_decode() is called. You should not have to call html_entity_decode() at all. You encode the text to get it to show in the text area. When the form is submitted, you get the text exactly as it appears in the textarea. in other words, without the html entities. Try this: textarea name=textThis is lt;somegt; text/textarea If you submit that text and then print $_REQUEST['text'], you'll see that you have This is some text ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] htmlspecialchars() and HTML code
Have you done some testing with NOT converting the HTML within the
textarea with htmlspecialchars() -- does it work for all cases where a
/textarea does not exist?
If so, then consider NOT doing it, and instead solving the problem of a
/textarea within the textarea. possible solutions may include:
1. not allowing such tags
2. just converting the problem tag to entities, rather than the whole
string with
str_replace('/textarea','lt;/textareagt;',$string);
then converting it back with
str_replace('lt;/textareagt;','/textarea',$string);
This way, all other tags, entities and whatever are preserved.
Just a suggestion -- it's 2am here, so I'm sure there are other ways!
Justin
On Saturday, August 9, 2003, at 01:13 AM, Thaddeus J. Quintin wrote:
Hello-
I'm working on a site where users have the option to type HTML code
into a textarea, or upload HTML code from a local file which is then
displayed in the text area.
The obvious problem is that an uploaded file that contains a closing
tag for a textarea can wreak havoc and eat up the rest of the page.
So, in order to get it to display properly, I called
htmlspecialchars() on the string and that works fine.
After any editing has been done, I can convert the text back using
html_entity_decode(). This seems to be a decent solution to the
problem.
However, if the user has included htmlentities in their code, won't
these get converted when I call the decode function? Even something
simple like using a '' symbol for a little arrow. This would need to
remain a 'lt;' and not get converted when html_entity_decode() is
called.
Anybody dealt with something along these lines before or have some
idea of a good solution?
Thanks-
Thaddeus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
---
[This E-mail scanned for viruses]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] htmlspecialchars() and HTML code
From: Thaddeus J. Quintin [EMAIL PROTECTED] If the HTML file that they upload has 'lt;' or 'gt;' entities, then these characters will be displayed in the text area as '' and '' symbols. So when the text is submitted from the textarea, all of the user's HTML entities will have been destroyed. Any thoughts on this problem? the uebimiau webmail, es written in PHP and supports viewing and editing HTML messages maybe you can take a look at it's code, perhaps it helps.. http://www.uebimiau.org regards, Juan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP] htmlspecialchars() and HTML code
Hi, Saturday, August 9, 2003, 1:57:04 AM, you wrote: TJQ CPT John W. Holmes wrote: TJQ --SNIP-- TJQ Try this: TJQ TJQ textarea name=textThis is lt;somegt; text/textarea TJQ TJQ If you submit that text and then print $_REQUEST['text'], you'll TJQ see that TJQ you have TJQ TJQ This is some text TJQ --SNIP-- TJQ Ok, but that only makes me realize the further extent of the problem. TJQ If the HTML file that they upload has 'lt;' or 'gt;' entities, then TJQ these characters will be displayed in the text area as '' and '' TJQ symbols. So when the text is submitted from the textarea, all of the TJQ user's HTML entities will have been destroyed. TJQ Any thoughts on this problem? TJQ Thaddeus TJQ CPT John W. Holmes wrote: From: Thaddeus J. Quintin [EMAIL PROTECTED] I'm working on a site where users have the option to type HTML code into a textarea, or upload HTML code from a local file which is then displayed in the text area. The obvious problem is that an uploaded file that contains a closing tag for a textarea can wreak havoc and eat up the rest of the page. So, in order to get it to display properly, I called htmlspecialchars() on the string and that works fine. After any editing has been done, I can convert the text back using html_entity_decode(). This seems to be a decent solution to the problem. However, if the user has included htmlentities in their code, won't these get converted when I call the decode function? Even something simple like using a '' symbol for a little arrow. This would need to remain a 'lt;' and not get converted when html_entity_decode() is called. You should not have to call html_entity_decode() at all. You encode the text to get it to show in the text area. When the form is submitted, you get the text exactly as it appears in the textarea. in other words, without the html entities. Try this: textarea name=textThis is lt;somegt; text/textarea If you submit that text and then print $_REQUEST['text'], you'll see that you have This is some text ---John Holmes... one way is to change textarea to text_area and then change it back on submit -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] htmlspecialchars() and HTML code
From: Thaddeus J. Quintin [EMAIL PROTECTED] I'm working on a site where users have the option to type HTML code into a textarea, or upload HTML code from a local file which is then displayed in the text area. The obvious problem is that an uploaded file that contains a closing tag for a textarea can wreak havoc and eat up the rest of the page. So, in order to get it to display properly, I called htmlspecialchars() on the string and that works fine. After any editing has been done, I can convert the text back using html_entity_decode(). This seems to be a decent solution to the problem. However, if the user has included htmlentities in their code, won't these get converted when I call the decode function? Even something simple like using a '' symbol for a little arrow. This would need to remain a 'lt;' and not get converted when html_entity_decode() is called. You should not have to call html_entity_decode() at all. You encode the text to get it to show in the text area. When the form is submitted, you get the text exactly as it appears in the textarea. in other words, without the html entities. Try this: textarea name=textThis is lt;somegt; text/textarea If you submit that text and then print $_REQUEST['text'], you'll see that you have This is some text ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] htmlspecialchars() and HTML code
You're safe because when you apply htmlentities() these will be doubly marked up. So if the file contains amp; then the browser will receive amp;amp;. HTH, Rob. On Fri, 2003-08-08 at 11:57, Thaddeus J. Quintin wrote: CPT John W. Holmes wrote: --SNIP-- Try this: textarea name=textThis is lt;somegt; text/textarea If you submit that text and then print $_REQUEST['text'], you'll see that you have This is some text --SNIP-- Ok, but that only makes me realize the further extent of the problem. If the HTML file that they upload has 'lt;' or 'gt;' entities, then these characters will be displayed in the text area as '' and '' symbols. So when the text is submitted from the textarea, all of the user's HTML entities will have been destroyed. Any thoughts on this problem? Thaddeus CPT John W. Holmes wrote: From: Thaddeus J. Quintin [EMAIL PROTECTED] I'm working on a site where users have the option to type HTML code into a textarea, or upload HTML code from a local file which is then displayed in the text area. The obvious problem is that an uploaded file that contains a closing tag for a textarea can wreak havoc and eat up the rest of the page. So, in order to get it to display properly, I called htmlspecialchars() on the string and that works fine. After any editing has been done, I can convert the text back using html_entity_decode(). This seems to be a decent solution to the problem. However, if the user has included htmlentities in their code, won't these get converted when I call the decode function? Even something simple like using a '' symbol for a little arrow. This would need to remain a 'lt;' and not get converted when html_entity_decode() is called. You should not have to call html_entity_decode() at all. You encode the text to get it to show in the text area. When the form is submitted, you get the text exactly as it appears in the textarea. in other words, without the html entities. Try this: textarea name=textThis is lt;somegt; text/textarea If you submit that text and then print $_REQUEST['text'], you'll see that you have This is some text ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- .-. | Worlds of Carnage - http://www.wocmud.org | :-: | Come visit a world of myth and legend where | | fantastical creatures come to life and the | | stuff of nightmares grasp for your soul.| `-' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] htmlspecialchars() and HTML code
Thaddeus J. Quintin wrote: CPT John W. Holmes wrote: --SNIP-- Try this: textarea name=textThis is lt;somegt; text/textarea If you submit that text and then print $_REQUEST['text'], you'll see that you have This is some text --SNIP-- Ok, but that only makes me realize the further extent of the problem. If the HTML file that they upload has 'lt;' or 'gt;' entities, then these characters will be displayed in the text area as '' and '' symbols. So when the text is submitted from the textarea, all of the user's HTML entities will have been destroyed. Any thoughts on this problem? Yep, of course. :) If there is a lt; in the file, when you apply htmlentities(), it'll come out in the HTML source as amp;lt; and appear as lt; in the rendered textarea. So... it's not an issue. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ PHP|Architect: A magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] htmlspecialchars() and HTML code
Thanks everybody! Looks like I was just thinking about the problem too hard. Thaddeus John W. Holmes wrote: Thaddeus J. Quintin wrote: CPT John W. Holmes wrote: --SNIP-- Try this: textarea name=textThis is lt;somegt; text/textarea If you submit that text and then print $_REQUEST['text'], you'll see that you have This is some text --SNIP-- Ok, but that only makes me realize the further extent of the problem. If the HTML file that they upload has 'lt;' or 'gt;' entities, then these characters will be displayed in the text area as '' and '' symbols. So when the text is submitted from the textarea, all of the user's HTML entities will have been destroyed. Any thoughts on this problem? Yep, of course. :) If there is a lt; in the file, when you apply htmlentities(), it'll come out in the HTML source as amp;lt; and appear as lt; in the rendered textarea. So... it's not an issue. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
