How can I properly escape HTML form input default values in PHP? How can I properly escape HTML form input default values in PHP? php php

How can I properly escape HTML form input default values in PHP?


php html forms xss

Use htmlspecialchars($_POST['firstname']) and htmlspecialchars($_POST['content']).

Always escape strings with htmlspecialchars() before showing them to the user.

php html forms xss

htmlspecialchars would work in both cases. Have a look at the different flag options to avoid quotation marks being a problem in the input case.

php html forms xss

Given it is kinda long I would put it in a function

<?PHPfunction encodeValue ($s) {    return htmlentities($s, ENT_COMPAT|ENT_QUOTES,'ISO-8859-1', true); }?>

This has ENT_QUOTES to make sure single and double quotes are encoded, but it will also encode special characters (Like in José) instead of inserting an empty string.

Then you can do:

<input type="text" name="firstname" value="<?= encodeValue($_POST['firstname']) ?>" />

and

<textarea name="content"><?= encodeValue($_POST['content']) ?></textarea>

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last