All geek questions in one place

Avoid random double coding htmlspecialchars?

I am currently tightening security on my website, and I am trying to ensure that every value passed from PHP to HTML is correctly encoded.

Assigning values ​​to a template will currently encode it, however some parts of the website are outdated and do not use templates.

I changed the functions that I use for HTML output to encode all the values. This is great for covering all old pages, but now it causes double encoding of template values.

I changed the encoding function that I use:

$textToEncode = htmlspecialchars_decode($szText); return htmlspecialchars($textToEncode, ENT_COMPAT, 'ISO-8859-1');

It worked out of what I see. By decrypting it first, it always guarantees that it will not encode twice, and I cannot think of any reason why decoding an unencoded string will cause problems. This is a good decision?

+4
source share
3 answers

You are just out of luck. You either know that the string is encoded or not. You cannot detect or guess. What if I want to write & amp; and the row in your database contains this value? This is an original, unencrypted string. But it looks coded.

You need to keep track of where and when and why you encode strings, you cannot reliably evaluate this after the fact.

If one of your users wrote this in your hypothetical forum:

HTML object for "&" "&".

Then your decoding and encoding, or the “intelligent non-double coding” that @Robert offers, would turn this into:

HTML object for "&" "&".

And the whole point of this message is lost.

+6
source

If you look at the manual, you will see that what you are looking for is the last argument to the function - $double_encode = false , which defaults to true:

 string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = 'UTF-8' [, bool $double_encode = true ]]]

In this way:

 htmlspecialchars($textToEncode, ENT_COMPAT, 'ISO-8859-1', false);
+5
source

The solution for you is to use the double_encode parameter in htmlspecialchars

From the manual:

When double_encode is off, PHP will not encode existing html objects, by default it will convert everything.

Double_encode was added in PHP 5.2.3

 htmlspecialchars ( $stringToEncode, $flags, $charsetEncoding , $double_encode);
+1
source

Source: https://habr.com/ru/post/1481729/

More articles:


All Articles