Re: [PHP] Re: Displaying HTML characters in real format
On Thu, July 12, 2007 6:08 pm, Dan wrote: > string htmlentities ( string $string [, int $quote_style [, string > $charset > [, bool $double_encode]]] ) > > This function is identical to htmlspecialchars() in all ways, except > with > htmlentities(), all characters which have HTML character entity > equivalents > are translated into these entities. > > This means that if there's an HTML equivelant it will translate into > that. > For example. ' and " don't have HTML equivelants, it is ', > anything > with a #number won't get translated. With htmlspecialchars it will. I think you've managed to confuse more than you've explained... " does have an HTML equivalent, it's " htmlspecialchars and htmlentities do the same thing to ", they turn it into " so it can be displayed as CONTENT in a webpage instead of possibly being mistaken for CODE. Both functions will also do exactly the same thing for < > & as well: Convert them to < > & respectively. htmlentities will ALSO convert every other goofy character into an HTML Equivalent, so it is safe to spew out to a browser, so the browser will know it's CONTENT and not CODE. htmlspecialchars will do NO conversion on anything but those special four chars, so is not save to apply unless you somehow magically "know" that the data contains no HTML-specific characters other than those four... IOW, htmlspecialchars is probably not real useful for general everyday PHP scripting, as it only escapes 4 our of a whole bunch of characters that need escapgin. htmlentities is irreplacable for general everyday PHP scripting, because it escapes all of them. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Displaying HTML characters in real format
string htmlentities ( string $string [, int $quote_style [, string $charset [, bool $double_encode]]] ) This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities. This means that if there's an HTML equivelant it will translate into that. For example. ' and " don't have HTML equivelants, it is ', anything with a #number won't get translated. With htmlspecialchars it will. Hope that answered your question. - Dan "Don Don" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Hi all, Am kind of confused between htmlspecialchars and htmlentities. I've got data i need to display data on a page containing e.g. " but will like it to be displayed as " htmlspecialchars or htmlentities or page character set ? Cheers - Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Displaying HTML characters in real format
Best way to learn, and remember, things like this is to make a simple test page and see for yourself. Don Don wrote: Hi all, Am kind of confused between htmlspecialchars and htmlentities. I've got data i need to display data on a page containing e.g. " but will like it to be displayed as " htmlspecialchars or htmlentities or page character set ? Cheers - Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Displaying HTML safely
> Something like this (you might like to check the syntax, I'm working from
> memory here) might work:
>
> header('Content-Disposition: attachment; filename=somefile.html');
Thanks, I'll have to try that.
As for security, looks like I will need to watch out for the extensions.
Turns out that the server I'm on executes .php files as long as the
directory they are located in is chmod'ed 755. Permissions on the .php file
itself don't seem to matter.
Apparently, anything else than 755 on the directory prevents Apache from
bringing up the HTML files. I thought that 644 would have been enough for
HTML, but I guess I was mistaken.
- Lauri Harpf
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Displaying HTML safely
Dotan Cohen wrote:
On 7/16/05, Lauri Harpf <[EMAIL PROTECTED]> wrote:
I've been thinking of limiting this problem by preventing the direct
displaying of the code (ie. only allowing "Save As.." for the link to the
user-submitted HTML). I guess a bit of JS could prevent accidental
left-clicking on the link. I've also been thinking of passing a special
header for the HTML source code file, "Content-type:
application/octet-stream" to suggest downloading rather than displaying the
contents, but IE seems to just ignore it and display the HTML anyhow.
Something like this (you might like to check the syntax, I'm working
from memory here) might work:
header('Content-Disposition: attachment; filename=somefile.html');
Forgot trying to work around IE. The browser is broken. It is
non-standard. It's bugs are not fixed. The more you bang your head
against the wall trying to fix what is Microsoft's responsibility to
fix, the less reason people will have to switch to a non-broken
browser (or OS!). Let them use a standards-compliant web browser.
If only we lived in such a perfect world... remember that the majority
of web users use IE, so unless you enjoy shutting out the majority of
your customers, we do need to work around it.
Let's not get this thread OT though.
Jasper
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Displaying HTML safely
On 7/16/05, Lauri Harpf <[EMAIL PROTECTED]> wrote: > > Well, unless you have set your server up to execute PHP or CGI scripts in > > .html files, which is a very bad idea, the only thing you need to worry > > about is client-side scripting. You could just filter out all > > tags if client-side scripting isn't important for your > > application... > > That's one of the problems I have, but it seems a tough nut to crack. If I > leave in the scripts, it opens a possibility of malicious scripts being fed > to a user through the application. > > On the other hand, if I take out the scripts, I will be providing a broken > version of the original page. People are not going to be happy if my "llama > to alpaca"-application has the side effect of deleting all of their scripts. > > I've been thinking of limiting this problem by preventing the direct > displaying of the code (ie. only allowing "Save As.." for the link to the > user-submitted HTML). I guess a bit of JS could prevent accidental > left-clicking on the link. I've also been thinking of passing a special > header for the HTML source code file, "Content-type: > application/octet-stream" to suggest downloading rather than displaying the > contents, but IE seems to just ignore it and display the HTML anyhow. > > - Lauri Harpf > Forgot trying to work around IE. The browser is broken. It is non-standard. It's bugs are not fixed. The more you bang your head against the wall trying to fix what is Microsoft's responsibility to fix, the less reason people will have to switch to a non-broken browser (or OS!). Let them use a standards-compliant web browser. Dotan Cohen http://x-christmas.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Displaying HTML safely
> Well, unless you have set your server up to execute PHP or CGI scripts in > .html files, which is a very bad idea, the only thing you need to worry > about is client-side scripting. You could just filter out all > tags if client-side scripting isn't important for your > application... That's one of the problems I have, but it seems a tough nut to crack. If I leave in the scripts, it opens a possibility of malicious scripts being fed to a user through the application. On the other hand, if I take out the scripts, I will be providing a broken version of the original page. People are not going to be happy if my "llama to alpaca"-application has the side effect of deleting all of their scripts. I've been thinking of limiting this problem by preventing the direct displaying of the code (ie. only allowing "Save As.." for the link to the user-submitted HTML). I guess a bit of JS could prevent accidental left-clicking on the link. I've also been thinking of passing a special header for the HTML source code file, "Content-type: application/octet-stream" to suggest downloading rather than displaying the contents, but IE seems to just ignore it and display the HTML anyhow. - Lauri Harpf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Displaying HTML safely
Lauri Harpf wrote: Now, if I make a point of not "chmod 755"ing the .html files in question, the server should be safe from someone feeding a html file with an embedded PHP script, right? Is there something else I should be looking out for - or is there an even better way of handling the transferring of the HTML code from the application to the user? Well, unless you have set your server up to execute PHP or CGI scripts in .html files, which is a very bad idea, the only thing you need to worry about is client-side scripting. You could just filter out all tags if client-side scripting isn't important for your application... Jasper -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Displaying html
It depends on how you have magic quotes set up in your php.ini file. Mine
are set up as follows:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
which I believe is the default, because I certainly never changed them.
I have never had a problem simply inserting or selecting html without the
need for using any of the escape functions. In other words, I do it just
like I would any other data and it works well.
Fred
Steve Osborne <[EMAIL PROTECTED]> wrote in message
000f01c18753$e8d086e0$[EMAIL PROTECTED]">news:000f01c18753$e8d086e0$[EMAIL PROTECTED]...
> Does anyone know of an easy way to store html code in a mysql database,
and
> then retreive it, in such a way that it can display the page as if it were
a
> standard html page? Would using php be of benefit to me?
>
> Steve Osborne
> [EMAIL PROTECTED]
>
> /* Happy Holidays */
> mysql_select_db('North_Pole');
> mysql_query('SELECT reindeer FROM stable WHERE nose_color="red"');
> ?>*
>
> *(borrowed from Paul)
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
